Bug 386021 - SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t).
Summary: SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/log ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-15 23:47 UTC by Bill Hope
Modified: 2008-01-30 19:19 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:19:04 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Output from: setroubleshoot browser (2.36 KB, text/plain)
2007-11-15 23:47 UTC, Bill Hope
no flags Details

Description Bill Hope 2007-11-15 23:47:51 UTC
Description of problem:
SELinux denied access requested by /usr/sbin/tmpwatch. It is not expected that
this access is required by /usr/sbin/tmpwatch and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Version-Release number of selected component (if applicable):


How reproducible:
selinux-policy-3.0.8-47.fc8

Steps to Reproduce:
1.
2.
3.
  
Actual results:
SELinux doesn't complain

Expected results:
See attachment

Additional info:

Comment 1 Bill Hope 2007-11-15 23:47:51 UTC
Created attachment 260601 [details]
Output from: setroubleshoot browser

Comment 2 Miloslav Trmač 2007-11-18 10:55:21 UTC
Thanks for your report.

Usually, log files in /var/log are handled by logrotate.  Is running tmpwatch in
/var/log necessary?

Comment 3 Bill Hope 2007-11-19 12:58:56 UTC
I don't particularly care where it runs. This is a default installation so the 
execution directory was not set by me. I'll have to rummage around to fix it. 
It should work out-of-the-box otherwise a real security issue gets lost in all 
the bogus ones.

Comment 4 Daniel Walsh 2007-11-19 15:40:09 UTC
kismet is setting up tmpwatch to look at the log files.

You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-58.fc8

Comment 5 Daniel Walsh 2008-01-30 19:19:04 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.