Bug 431185 - tmpwatch has problem with mislabeled files in /tmp
tmpwatch has problem with mislabeled files in /tmp
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-02-01 07:23 EST by Matěj Cepl
Modified: 2008-02-01 23:47 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-01 23:47:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed fix (358 bytes, patch)
2008-02-01 07:23 EST, Matěj Cepl
no flags Details | Diff

  None (edit)
Description Matěj Cepl 2008-02-01 07:23:25 EST
Description of problem:


SELinux is preventing the tmpwatch(/usr/sbin/tmpwatch) from using potentially
mislabeled files (/tmp/xinetd.diff).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux has denied tmpwatch(/usr/sbin/tmpwatch) access to potentially mislabeled
file(s) (/tmp/xinetd.diff). This means that SELinux will not allow
tmpwatch(/usr/sbin/tmpwatch) to use these files. It is common for users to edit
files in their home directory or tmp directories and then move (mv) them to
system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want tmpwatch(/usr/sbin/tmpwatch) to access this files, you need to
relabel them using restorecon -v /tmp/xinetd.diff. You might want to relabel the
entire directory using restorecon -R -v /tmp.

Additional Information:

Source Context                system_u:system_r:tmpreaper_t:SystemLow-SystemHigh
Target Context                root:object_r:user_home_t
Target Objects                /tmp/xinetd.diff [ file ]
Source                        tmpwatch(/usr/sbin/tmpwatch)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-20.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-9.fc9 #1 SMP Tue
                              Jan 29 17:45:59 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Pá 1. únor 2008, 05:03:33 CET
Last Seen                     Pá 1. únor 2008, 05:03:33 CET
Local ID                      3df97932-1d62-4e13-883a-8abd1d9a749e
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201838613.581:420): avc:  denied  {
getattr } for  pid=12960 comm="tmpwatch" path="/tmp/xinetd.diff" dev=dm-1
ino=3601034 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=root:object_r:user_home_t:s0 tclass=file

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201838613.581:420):
arch=c000003e syscall=6 success=yes exit=0 a0=604353 a1=7fff71f49980
a2=7fff71f49980 a3=393292b542 items=0 ppid=12958 pid=12960 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="tmpwatch"
exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.copy a file from somewhere into /tmp
Actual results:
tmpwatch files to remove when the time is right for removal

Expected results:
whatever falls into /tmp should be deemed dead with actual death postponed a
little bit ;-)

Additional info:
Dan, how much is the attached patch totally loonie from the SELinux point of view?
Comment 1 Matěj Cepl 2008-02-01 07:23:25 EST
Created attachment 293717 [details]
Proposed fix
Comment 2 Daniel Walsh 2008-02-01 08:14:47 EST
Two things, 

First this will work, since /tmp/XYZ is labeled <<none>>
Which tells restorecon to do nothing.

You can test this out by running your example above.

secondly if this did work, it would not work for the people who worry about
security since it would open a channel for downgrading data.  I could take a top
secret document, put it in /tmp and remove the topsecret classification.

Finally certain files in /tmp have labels in /tmp that we want to maintain.  For
example kerberos host cache files.

I think a better fix would be to allow tmpreaper to read/delete user home
directory files, since I have been telling people that /tmp is for use by normal
users, it would not be surprising for a normal user to mv files from his home
dir to /tmp.

Comment 3 Daniel Walsh 2008-02-01 08:25:35 EST
Fixed in selinux-policy-3.2.5-25.fc9

Note You need to log in before you can comment on or make changes to this bug.