Description of problem: three AVC messages after default install of 20080501 rawhide Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-42.fc9.noarch.rpm Summary: SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./tex (var_lib_t). Detailed Description: SELinux denied access requested by tmpwatch. It is not expected that this access is required by tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./tex, restorecon -v './tex' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:tmpreaper_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects ./tex [ dir ] Source tmpwatch Source Path /usr/sbin/tmpwatch Port <Unknown> Host localhost.localdomain Source RPM Packages tmpwatch-2.9.13-2 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-8.fc9.i686 #1 SMP Wed Apr 23 03:56:19 EDT 2008 i686 i686 Alert Count 1 First Seen Thu 01 May 2008 03:11:55 PM EDT Last Seen Thu 01 May 2008 03:11:55 PM EDT Local ID 6ecba3f8-9f60-4c3e-bc2d-78c151ba7096 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1209669115.721:28): avc: denied { setattr } for pid=7708 comm="tmpwatch" name="tex" dev=dm-0 ino=529421 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1209669115.721:28): arch=40000003 syscall=30 success=no exit=-13 a0=804ac62 a1=bfb3b634 a2=0 a3=94df6b8 items=0 ppid=7706 pid=7708 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary: SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./dvips (var_lib_t). Detailed Description: SELinux denied access requested by tmpwatch. It is not expected that this access is required by tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dvips, restorecon -v './dvips' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:tmpreaper_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects ./dvips [ dir ] Source tmpwatch Source Path /usr/sbin/tmpwatch Port <Unknown> Host localhost.localdomain Source RPM Packages tmpwatch-2.9.13-2 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-8.fc9.i686 #1 SMP Wed Apr 23 03:56:19 EDT 2008 i686 i686 Alert Count 1 First Seen Thu 01 May 2008 03:11:55 PM EDT Last Seen Thu 01 May 2008 03:11:55 PM EDT Local ID 70971920-3ed1-44b8-857f-d3953d94bd68 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1209669115.422:27): avc: denied { setattr } for pid=7708 comm="tmpwatch" name="dvips" dev=dm-0 ino=529419 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1209669115.422:27): arch=40000003 syscall=30 success=no exit=-13 a0=804ac62 a1=bfb3b3d4 a2=0 a3=94e16f8 items=0 ppid=7706 pid=7708 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary: SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./pdftex (var_lib_t). Detailed Description: SELinux denied access requested by tmpwatch. It is not expected that this access is required by tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./pdftex, restorecon -v './pdftex' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:tmpreaper_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects ./pdftex [ dir ] Source tmpwatch Source Path /usr/sbin/tmpwatch Port <Unknown> Host localhost.localdomain Source RPM Packages tmpwatch-2.9.13-2 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-8.fc9.i686 #1 SMP Wed Apr 23 03:56:19 EDT 2008 i686 i686 Alert Count 1 First Seen Thu 01 May 2008 03:11:55 PM EDT Last Seen Thu 01 May 2008 03:11:55 PM EDT Local ID e5885fb5-22fa-4f56-bbfa-e20fffa5848c Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1209669115.375:26): avc: denied { setattr } for pid=7708 comm="tmpwatch" name="pdftex" dev=dm-0 ino=529420 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1209669115.375:26): arch=40000003 syscall=30 success=no exit=-13 a0=804ac62 a1=bfb3b3d4 a2=0 a3=94e16f8 items=0 ppid=7706 pid=7708 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)
This is a te
*** Bug 444846 has been marked as a duplicate of this bug. ***
John, just to be sure, do you have texlive-2007-29 and texlive-2007-20 installed what shows the described problem? I assumed I fixed that in texlive-2007-29.
It will take me a bit to get to the virtual host and check on the packages there. I did a very simple anaconda install of 20080501 selecting the "Desktop" group w/ NO customization.
The version of texlive tagged for f9-final is currently texlive-2007-28.fc9. If you'd like newer tagged, please send rationale to rel-eng http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy
Just did a fresh install of 20080502 rawhide. I completed a default install (selecting the desktop group only) and ran gnome-terminal and firefox and then the host sat there for a while. When I came back I saw the three AVCs above. I'm guessing cron kicked off tmpwatch which then triggered the AVCs? Here is what is installed: [root@localhost ~]# rpm -qa |grep -i tex | sort gettext-0.17-4.fc9.i386 libtextcat-2.2-5.fc9.i386 openoffice.org-writer2latex-0.5-2.fc9.i386 texinfo-4.11-5.fc9.i386 texinfo-tex-4.11-5.fc9.i386 texlive-2007-28.fc9.i386 texlive-dvips-2007-28.fc9.i386 texlive-latex-2007-28.fc9.i386 texlive-texmf-2007-20.fc9.noarch texlive-texmf-dvips-2007-20.fc9.noarch texlive-texmf-errata-2007-4.fc9.noarch texlive-texmf-errata-dvips-2007-4.fc9.noarch texlive-texmf-errata-fonts-2007-4.fc9.noarch texlive-texmf-errata-latex-2007-4.fc9.noarch texlive-texmf-fonts-2007-20.fc9.noarch texlive-texmf-latex-2007-20.fc9.noarch texlive-utils-2007-28.fc9.i386 tex-preview-11.85-7.fc9.noarch
After doing an install with -29 in my package set, it looks like I'm still going to hit this as the contents of /var/lib/texmf/web2c are still labeled rpm_script_t. Also, there's now an error in the install.log from the %post of texlive-texmf-fonts Installing texlive-texmf-fonts No such file or directory error: %post scriptlet failed, exit status 1
The three directories involved are not owned by any package; I assume they're created by the %post script of one of the texlive packages but I have no idea which. Since texlive-texmf-fonts does the restorecon in its %post, those directories must be getting created after that happens. Checking my install.log that leaves the following texlive packages: texlive texlive-dvips texlive-latex texlive-texmf-latex
Please try it again with the new packages: 1) texlive-2007-30.fc9 http://koji.fedoraproject.org/koji/taskinfo?taskID=596593 2) texlive-texmf-2007-22.fc9 http://koji.fedoraproject.org/koji/taskinfo?taskID=596580
With those packages, the data in /var/lib/texmf/web2c is labelled tetex_data_t. Moreover, manually invoking the tmpwatch and texlive cron jobs show no errors. Submitting as non-scratch builds.
Confirmed - an install with the scratch builds added as an extra repo had no scriptlet errors and none of the SELinux problems mentioned here.
Thanks for testing. Closing RAWHIDE as everything seems to be done now.