Bug 386021 - SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t).
SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/log ...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-15 18:47 EST by Bill Hope
Modified: 2008-01-30 14:19 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:19:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Output from: setroubleshoot browser (2.36 KB, text/plain)
2007-11-15 18:47 EST, Bill Hope
no flags Details

  None (edit)
Description Bill Hope 2007-11-15 18:47:51 EST
Description of problem:
SELinux denied access requested by /usr/sbin/tmpwatch. It is not expected that
this access is required by /usr/sbin/tmpwatch and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:
SELinux doesn't complain

Expected results:
See attachment

Additional info:
Comment 1 Bill Hope 2007-11-15 18:47:51 EST
Created attachment 260601 [details]
Output from: setroubleshoot browser
Comment 2 Miloslav Trmač 2007-11-18 05:55:21 EST
Thanks for your report.

Usually, log files in /var/log are handled by logrotate.  Is running tmpwatch in
/var/log necessary?
Comment 3 Bill Hope 2007-11-19 07:58:56 EST
I don't particularly care where it runs. This is a default installation so the 
execution directory was not set by me. I'll have to rummage around to fix it. 
It should work out-of-the-box otherwise a real security issue gets lost in all 
the bogus ones.
Comment 4 Daniel Walsh 2007-11-19 10:40:09 EST
kismet is setting up tmpwatch to look at the log files.

You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-58.fc8
Comment 5 Daniel Walsh 2008-01-30 14:19:04 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.