Summary: SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./pdftex (var_lib_t). Detailed Description: SELinux denied access requested by tmpwatch. It is not expected that this access is required by tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./pdftex, restorecon -v './pdftex' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects ./pdftex [ dir ] Source tmpwatch Source Path /usr/sbin/tmpwatch Port <Unknown> Host localhost.localdomain Source RPM Packages tmpwatch-2.9.13-2 Target RPM Packages Policy RPM selinux-policy-3.3.1-34.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.218.rc8.git7.fc9.x86_64 #1 SMP Wed Apr 9 19:55:19 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Sat 12 Apr 2008 04:11:27 AM EDT Last Seen Sat 12 Apr 2008 04:11:27 AM EDT Local ID 52a7f95b-449c-4c84-8d3c-c2c857053189 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207987887.636:39): avc: denied { setattr } for pid=18085 comm="tmpwatch" name="pdftex" dev=sda3 ino=123203 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1207987887.636:39): arch=c000003e syscall=132 success=no exit=-13 a0=4030ba a1=7fff89353230 a2=3383967a60 a3=3383967a58 items=0 ppid=18084 pid=18085 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) selinux-policy-3.3.1-34.fc9
Is tetex mv'ing files from /var/lib to /tmp which tmpwatch is then trying to manipulate? Or is it somehow telling tmpwatch to look at these files. I have not been able to figure out what is going on here.
I do not understand that either, but it seems tmpwatch is for some reason scanning /var/lib/texmf. This is maybe a question for tmpwatch maintainer, then tetex...
Yup, tetex puts mostly %ghosted stuff to /var/lib/texmf what is mostly fmt files for things like dvips/pdftex, etc. Hmmm, I'm not aware af any moves between /var/lib -> /tmp or vice versa. Maybe tmpwatch mistakenly looks for tmp files in the whole /var instead of /var/tmp ?
This has nothing to do with /tmp, the TeX package explicitly asks tmpwatch to work on /var/lib/texmf: $ cat /etc/cron.daily/texlive.cron #!/bin/bash # Remove TeX fonts not used in 180 days /usr/sbin/tmpwatch 4320 /var/lib/texmf exit 0 The access should probably just be allowed, perhaps adding a new type for TeX fonts.
The problem here is the postinstall of the tetex file. It is creating these files and directories in the post install, but never fixing the labeling. At the end of the postinstall you need to add a restorecon -R /var/lib/texmf Which will fix the labeling. Then tmpwatch will be able to manipulate the files. Another option would be to put this call into install-info
* Tue Apr 01 2008 Jindrich Novy <jnovy> - 2007-18 - run restorecon in fonts subpackage to fix bad SELinux contexts Sure enough, %post in the -fonts package has: /sbin/restorecon -R %{_texmf_var}/ And /var/lib/texmf has tetex_data_t on all my rawhide systems. So.. is this bug fixed?
Sure, just forgot to close it :)