Bug 446115 - SELinux is preventing the pam_timestamp_c from using potentially mislabeled files (/tmp/sabayon-temp-home-PBfHmt/.xsession-errors).
SELinux is preventing the pam_timestamp_c from using potentially mislabeled f...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-05-12 15:37 EDT by Andrig Miller
Modified: 2008-11-17 17:03 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-17 17:03:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andrig Miller 2008-05-12 15:37:17 EDT
Description of problem:

After installing Sabayon, I created a new policy, that I was going to assign to
my children's users ids to lock down their GNOME desktop.  I received the
following alert from the SELinux Alert tool, while creating a new profile with

Version-Release number of selected component (if applicable):

selinux-policy-3.0.8-101.fc8 (targeted)

How reproducible:

Steps to Reproduce:
1. Start Sabayon (User Profile Editor under the Administration menu)
2. Click on "New" to create new profile
3. SELinux prevents pam_timestamp_c access to a tmp file .xsession-errors under
the /tmp/sabayon-temp-home-PBFHmt
Actual results:

Expected results:

Additional info:

Here is the alert copied from the SELinux alert tool:


SELinux is preventing the pam_timestamp_c from using potentially mislabeled
files (/tmp/sabayon-temp-home-PBfHmt/.xsession-errors).

Detailed Description:

SELinux has denied pam_timestamp_c access to potentially mislabeled file(s)
(/tmp/sabayon-temp-home-PBfHmt/.xsession-errors). This means that SELinux will
not allow pam_timestamp_c to use these files. It is common for users to edit
files in their home directory or tmp directories and then move (mv) them to
system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want pam_timestamp_c to access this files, you need to relabel them using
restorecon -v '/tmp/sabayon-temp-home-PBfHmt/.xsession-errors'. You might want
to relabel the entire directory using restorecon -R -v

Additional Information:

Source Context                system_u:system_r:pam_t:s0
Target Context                system_u:object_r:unconfined_tmp_t:s0
Target Objects                /tmp/sabayon-temp-home-PBfHmt/.xsession-errors [
                              file ]
Source                        pam_timestamp_c
Source Path                   /sbin/pam_timestamp_check
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           pam-
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-101.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain #1 SMP
                              Sat Apr 19 11:18:09 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 12 May 2008 09:33:41 AM MDT
Last Seen                     Mon 12 May 2008 09:33:41 AM MDT
Local ID                      439f3349-7eaf-460e-8088-ae56289a54b7
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1210606421.818:575): avc:  denied
 { ioctl } for  pid=23711 comm="pam_timestamp_c"
path="/tmp/sabayon-temp-home-PBfHmt/.xsession-errors" dev=dm-0 ino=9142554
tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1210606421.818:575):
arch=c000003e syscall=16 success=no exit=-13 a0=2 a1=5401 a2=7fff5c01e2c0 a3=0
items=0 ppid=23707 pid=23711 auid=500 uid=86 gid=86 euid=0 suid=0 fsuid=0
egid=86 sgid=86 fsgid=86 tty=(none) comm="pam_timestamp_c"
exe="/sbin/pam_timestamp_check" subj=system_u:system_r:pam_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-05-13 11:39:59 EDT
This can safely be ignored.

Fixed in selinux-policy-3.0.8-103.fc8
Comment 2 Daniel Walsh 2008-11-17 17:03:46 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.