Version-Release number of selected component (if applicable): selinux-policy-3.5.13-17.fc10.noarch selinux-policy-targeted-3.5.13-17.fc10.noarch libselinux-utils-2.0.73-1.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-2.0.73-1.fc10.i386 crypto-utils-2.4.1-2.i386 mod_ssl-2.2.10-2.i386 httpd-2.2.10-2.i386 Steps to Reproduce: 1. yum groupinstall "Web Server" 2. Followed steps to create a web sandbox at <http://docs.fedoraproject.org/documentation-guide/en_US/ch-publishing.html> As far as I know, these steps do not cause SSL to be used. Actual results: SELinux is preventing certwatch (certwatch_t) "write" to ./cache (var_t). Detailed Description: SELinux denied access requested by certwatch. It is not expected that this access is required by certwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./cache, restorecon -v './cache' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:certwatch_t:s0 Target Context system_u:object_r:var_t:s0 Target Objects ./cache [ dir ] Source certwatch Source Path /usr/bin/certwatch Port <Unknown> Host rawhide Source RPM Packages crypto-utils-2.4.1-2 Target RPM Packages Policy RPM selinux-policy-3.5.13-17.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name rawhide Platform Linux rawhide 2.6.27.4-79.fc10.i686 #1 SMP Tue Nov 4 21:56:37 EST 2008 i686 i686 Alert Count 2 First Seen Mon Nov 10 08:39:18 2008 Last Seen Mon Nov 10 08:39:18 2008 Local ID e26549da-7f4a-48f0-b1ca-e057afca48db Line Numbers Raw Audit Messages node=rawhide type=AVC msg=audit(1226270358.924:239): avc: denied { write } for pid=13351 comm="certwatch" name="cache" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir node=rawhide type=SYSCALL msg=audit(1226270358.924:239): arch=40000003 syscall=39 success=no exit=-13 a0=39a2bf a1=3ff a2=3a0354 a3=86f43c8 items=0 ppid=13344 pid=13351 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null) Additional info: audit2allow suggests: allow certwatch_t var_t:dir write; I do not know which directory is cache. I tried "mathpathcon -V /var/cache/*" and all files and directories are verified as correct.
It is trying to create a file/directory in /var/cache? Looking at the source I do not see why it would do this. Could you put certwatch_t in permissive mode and see what file it creates? semanage permissive -a certwatch_t
Based on the denial I do not know if it was /var/cache or something else. /var/cache is the only "cache" I could think of. According to aureport this occurred 290 times. I removed and reinstalled all "Web Server" packages and crypo-utils, but could not reproduce it again. Maybe I did something wrong and don't remember doing it.
It happened again after leaving my machine on all day. I will take a closer look tomorrow (Australia/Brisbane) time.
Update: "strace certwatch" shows: mkdir("/var/cache/coolkey", 01777) = 0 umask(022) = 0 getuid32() = 0 open("/var/cache/coolkey/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|O_APPEND, 0600) = 7 write(7, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 15000) = 15000 From what I tested, certwatch creates "/var/cache/coolkey", but coolkey/ uses the var_t type. Running "restorecon -R -v /var/cache/coolkey" changes the coolkey/ type to auth_cache_t (sesearch shows certwatch_t can write to auth_cache_t).
Fixed in selinux-policy-3.5.13-20.fc10
Also related to certwatch. (Once allowed access to /var/cache) Will this be fixed in the next release as well? Summary SELinux is preventing certwatch (certwatch_t) "read write" to ./636F6F6C6B6579706B313173452D47617465203020302D30 (var_t). Detailed Description SELinux denied access requested by certwatch. It is not expected that this access is required by certwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./636F6F6C6B6579706B313173452D47617465203020302D30, restorecon -v './636F6F6C6B6579706B313173452D47617465203020302D30' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:certwatch_t:s0-s0:c0.c1023 Target Context: unconfined_u:object_r:var_t:s0 Target Objects: ./636F6F6C6B6579706B313173452D47617465203020302D30 [ file ] Source: certwatch Source Path: /usr/bin/certwatch Port: <Unknown> Host: localhost Source RPM Packages: crypto-utils-2.4.1-2 Target RPM Packages: Policy RPM: selinux-policy-3.5.13-18.fc10 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall_file Host Name: localhost Platform: Linux localhost 2.6.27.5-109.fc10.i686 #1 SMP Thu Nov 13 21:01:50 EST 2008 i686 i686 Alert Count: 1 First Seen: Tue 18 Nov 2008 04:02:25 AM EST Last Seen: Tue 18 Nov 2008 04:02:25 AM EST Local ID: 544b9bed-0e9e-43b2-8533-e2cead723b29 Line Numbers: Raw Audit Messages : node=localhost type=AVC msg=audit(1226998945.751:24): avc: denied { read write } for pid=3528 comm="certwatch" name=636F6F6C6B6579706B313173452D47617465203020302D30 dev=dm-0 ino=613327 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file node=localhost type=SYSCALL msg=audit(1226998945.751:24): arch=40000003 syscall=5 success=no exit=-13 a0=85946f0 a1=20002 a2=180 a3=0 items=0 ppid=3523 pid=3528 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
Yes
Sumário: O SELinux está impedindo que o certwatch (certwatch_t) "write" ao ./cache (var_t). Descrição Detalhada: O SELinux impediu o acesso requisitado pelo certwatch. Não é comum que este acesso seja requisitado pelo certwatch e isto pode indicar uma tentativa de intrusão. Também é possível que a versão ou configuração específicas do aplicativo estejam fazendo com que o mesmo requisite o acesso adicional. Permitindo Acesso: Às vezes, problemas de etiquetagem podem causar negações do SeLinux. Você pode tentar restaurar o contexto de arquivo padrão do sistema para o ./cache, restorecon -v ./cache Se isto não funcionar, ainda não existe uma maneira automatizada para permitir este acesso. Ao invés disto, você pode criar um módulo de política local para permitir este acesso - veja FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Ou você pode desabilitar a proteção SELinux. Desabilitar a proteção SELinux não é recomendável. Por favor submeta uma notificação de erro (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) contra este pacote. Informação adicional: Contexto Fonte system_u:system_r:certwatch_t:s0 Contexto Alvo system_u:object_r:var_t:s0 Objetos do Alvo ./cache [ dir ] Fonte certwatch Caminho da Fonte /usr/bin/certwatch Porta <Desconhecido> Máquina MAQ02.REDE01 Pacotes do RPM Fonte crypto-utils-2.4.1-2 Pacotes do RPM Alvo RPM da Política selinux-policy-3.5.13-11.fc10 Selinux Ativado True Tipo de Política targeted MLS Ativado True Modo Enforcing Enforcing Nome do Plugin catchall_file Nome do Host MAQ02.REDE01 Plataforma Linux MAQ02.REDE01 2.6.27.4-68.fc10.x86_64 #1 SMP Thu Oct 30 00:25:13 EDT 2008 x86_64 x86_64 Conta de Alerta 2 Visto Primeiro em Qui 20 Nov 2008 14:17:26 BRST Visto pela última vez em Sex 21 Nov 2008 13:32:19 BRST ID Local 6f1c3c76-b6ad-4d95-a911-1f63003fac44 Números de Linha Mensagens de Auditoria de Mat node=MAQ02.REDE01 type=AVC msg=audit(1227281539.130:45): avc: denied { write } for pid=4940 comm="certwatch" name="cache" dev=dm-0 ino=28909579 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir node=MAQ02.REDE01 type=SYSCALL msg=audit(1227281539.130:45): arch=c000003e syscall=83 success=no exit=-13 a0=7f1cc876f41f a1=3ff a2=0 a3=7fffd0be1fb0 items=0 ppid=4935 pid=4940 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0 key=(null)
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Created attachment 330499 [details] Error report from SELinux denying certwatch write to ./cache during package update by PackageManager.
I meant "PackageKit".
Yes the bug is related to the way files are created and the selinux policy for them. So it really is not a packagekit issue, it is an SELinux issue.
Just a slight different case for me : i.e. not only "write" but "read write" access is prevented. SELinux is preventing certwatch (certwatch_t) "read write" to ./636F6F6C6B6579706B313173452D47617465203020302D30 (var_t). Additional Information Source Context: system_u:system_r:certwatch_t:s0-s0:c0.c1023 Target Context: system_u:object_r:var_t:s0 Target Objects: ./636F6F6C6B6579706B313173452D47617465203020302D30[file] Source: certwatch Source Path: /usr/bin/certwatch Port: <Unknown> Source RPM Packages: crypto-utils-2.4.1-2 Target RPM Packages: Policy RPM: selinux-policy-3.5.13-47.fc10 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall_file Platform: Linux 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count: 25 First Seen: Thu 12 Feb 2009 04:02:12 AM IST Last Seen: Tue 17 Mar 2009 04:10:42 AM IST Local ID: 33322d75-9580-4a09-8ef9-ef89a6454b19 Line Numbers: Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1237243242.656:151): avc: denied { read write } for pid=6781 comm="certwatch" name=636F6F6C6B6579706B313173452D47617465203020302D30 dev=dm-0 ino=401414 scontext=system_u:system_r:certwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237243242.656:151): arch=40000003 syscall=5 success=no exit=-13 a0=80a03f0 a1=20002 a2=180 a3=0 items=0 ppid=6776 pid=6781 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="certwatch" exe="/usr/bin/certwatch" subj=system_u:system_r:certwatch_t:s0-s0:c0.c1023 key=(null)
Lucelio Gomes de Freitas eu também estou com o mesmo problema seu, a solução parcial é desabilitar o SELinux, so que no fedora 10 não sei onde esta esta opção. Se souber me avisa ok.. valeu, Ronaldo.
Digvijay restorecon -R -v /var Should fix this. You seem to have a labeling problem under /var Ronaldo English please.
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Closing as current release