Bug 453890 - Started getting a bunch of selinux warnings after updates today
Started getting a bunch of selinux warnings after updates today
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-02 21:41 EDT by Andrew Kroll
Modified: 2008-07-03 11:45 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-03 11:45:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Kroll 2008-07-02 21:41:52 EDT
Summary:

SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to
/tmp/vbox.0/build_in_tmp (usr_t).

Detailed Description:

SELinux denied access requested by tmpwatch. It is not expected that this access
is required by tmpwatch and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /tmp/vbox.0/build_in_tmp,

restorecon -v '/tmp/vbox.0/build_in_tmp'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:tmpreaper_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                /tmp/vbox.0/build_in_tmp [ file ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          Willow
Source RPM Packages           tmpwatch-2.9.13-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-72.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     Willow
Platform                      Linux Willow 2.6.25.9-76.fc9.x86_64 #1 SMP Fri Jun
                              27 15:58:30 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 02 Jul 2008 08:04:01 PM CDT
Last Seen                     Wed 02 Jul 2008 08:04:01 PM CDT
Local ID                      8f9cb69d-63f2-4104-84d7-1757e4f52f76
Line Numbers                  

Raw Audit Messages            

host=Willow type=AVC msg=audit(1215047041.984:78): avc:  denied  { getattr } for
 pid=6021 comm="tmpwatch" path="/tmp/vbox.0/build_in_tmp" dev=dm-0 ino=9887758
scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file

host=Willow type=SYSCALL msg=audit(1215047041.984:78): arch=c000003e syscall=6
success=no exit=-13 a0=1d95e03 a1=7fff71c5b400 a2=7fff71c5b400 a3=3e1d367a58
items=0 ppid=6019 pid=6021 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch"
exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)




Additional info:
Comment 1 Daniel Walsh 2008-07-03 11:45:02 EDT
Just remove this file.  Some rpm installed this file in /usr and then mv'd it to
/tmp.  It has the wrong label on it and can not be deleted by tmpwatch.

You could change it;s context to tmp_t and this will allow tmpwatch to remove it.

chcon -t tmp_t -R /tmp/vbox.0

If you figure out which rpm did this, we need to open a bugzilla on it.

Note You need to log in before you can comment on or make changes to this bug.