Bug 457643 - SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /tmp/Xorg.0.log.old (xserver_log_t).
SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /tmp/Xorg.0.log.old...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-08-02 02:02 EDT by Matěj Cepl
Modified: 2008-08-04 14:01 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-02 07:39:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-08-02 02:02:17 EDT

SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /tmp/Xorg.0.log.old

Podrobný popis:

SELinux denied access requested by tmpwatch. It is not expected that this access
is required by tmpwatch and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /tmp/Xorg.0.log.old,

restorecon -v '/tmp/Xorg.0.log.old'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:tmpreaper_t
Kontext cíle                 system_u:object_r:xserver_log_t
Objekty cíle                 /tmp/Xorg.0.log.old [ file ]
Zdroj                         tmpwatch
Cesta zdroje                  /usr/sbin/tmpwatch
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          tmpwatch-2.9.13-2
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-79.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef #1 SMP Mon Jul
                              21 01:31:09 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Čt 31. červenec 2008, 11:09:40 CEST
Naposledy viděno             Čt 31. červenec 2008, 11:09:40 CEST
Místní ID                   1802c013-062e-4e2c-b451-1f64ec63e44c
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1217495380.792:418): avc:  denied  { getattr }
for  pid=14422 comm="tmpwatch" path="/tmp/Xorg.0.log.old" dev=tmpfs ino=54243
tcontext=system_u:object_r:xserver_log_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1217495380.792:418): arch=40000003
syscall=196 success=no exit=-13 a0=96bf273 a1=bfbfef54 a2=2eeff4 a3=96bf273
items=0 ppid=14420 pid=14422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch"
exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)

My current audit.log is in the attachment 313259 [details]
Comment 1 Miloslav Trmač 2008-08-02 06:56:01 EDT
Thanks for your report.

This can't be fixed in tmpwatch.

I just wonder why is Xorg.0.log in /tmp; using gdm, I have it in /var/log.  Are
you perhaps using startx?
Comment 2 Matěj Cepl 2008-08-02 07:39:29 EDT
Shut, this is stupid, of course. Just copied those log files to /tmp to chown
them etc. before posting to web (to communicate with our guys, why something
doesn'ŧ work).

This is quite certainly NOTABUG.
Comment 3 Daniel Walsh 2008-08-04 14:01:10 EDT
You copied with preserving context or moved them to this directory.  The problem here is that tmpreaper is not able to remove files placed in tmp with unexpected context.  So you can change the context of these files or we can remove the confinement of tmpwatch (tmpreaper_t).

I will remove the confinement of tmpreaper 

Fixed in selinux-policy-3.3.1-84.fc9

Note You need to log in before you can comment on or make changes to this bug.