Bug 355641 - tmpwatch access not allowed
tmpwatch access not allowed
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-10-28 01:11 EDT by Ulrich Drepper
Modified: 2008-01-30 14:19 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:19:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ulrich Drepper 2007-10-28 01:11:55 EDT
Description of problem:
tmpwatch watchinf /tmp which is a separate partition will come across lost+found
which is tagged lost_found_t.  These accesses should not be logged.

Version-Release number of selected component (if applicable):

How reproducible:
always, it seems

Steps to Reproduce:
1.create partition for /tmp
2.run tmpwatch
Actual results:
message below

Expected results:
no message

Additional info:
The is the setroubleshoot browser

    SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /tmp/lost+found

Detailed Description
    SELinux denied access requested by tmpwatch. It is not expected that this
    access is required by tmpwatch and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /tmp/lost+found, restorecon -v
    /tmp/lost+found If this does not work, there is currently no automatic way
    to allow this access. Instead,  you can generate a local policy module to
    allow this access - see http://fedora.redhat.com/docs/selinux-faq-
    fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling
    SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:tmpreaper_t:s0
Target Context                system_u:object_r:lost_found_t:s0
Target Objects                /tmp/lost+found [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-33.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     x61.akkadia.org
Platform                      Linux x61.akkadia.org #1 SMP Wed
                              Oct 24 20:20:44 EDT 2007 x86_64 x86_64
Alert Count                   4
First Seen                    Tue 16 Oct 2007 11:41:10 PM PDT
Last Seen                     Sat 27 Oct 2007 04:31:44 PM PDT
Local ID                      fd0a2937-094c-4419-92dc-0e6911e45240
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=tmpwatch dev=sda6 path=/tmp/lost+found
pid=12510 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
Comment 1 Daniel Walsh 2007-10-29 22:33:11 EDT
Fixed in selinux-policy-3.0.8-40.fc8
Comment 2 Ulrich Drepper 2007-11-01 00:17:32 EDT
Still not fixed in


Are you sure you fixed it?  I saw

 - Allow tmpreaper to search logs directory

in the changelog but this is different.
Comment 3 Daniel Walsh 2007-11-01 11:56:26 EDT
fixed in selinux-policy-2.6.4-48.fc7

Put in rawhide pool but not in f8.  Sorry.
Comment 4 Daniel Walsh 2007-11-01 12:01:22 EDT
fixed in selinux-policy-3.0.8-44.fc7

Sorry cut and paste error.
Comment 5 Daniel Walsh 2008-01-30 14:19:21 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.