Bug 470844 - SELinux is preventing tmpwatch (tmpreaper_t) "rmdir" to ./kdecache-jim (samba_share_t).
SELinux is preventing tmpwatch (tmpreaper_t) "rmdir" to ./kdecache-jim (samba...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
x86_64 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-10 11:20 EST by Samster
Modified: 2008-11-10 16:35 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-10 16:35:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Samster 2008-11-10 11:20:29 EST
Description of problem:
SELinux denied access requested by tmpwatch. It is not expected that this access is required by tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./kdecache-jim, restorecon -v './kdecache-jim' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. 

Version-Release number of selected component (if applicable):
libselinux-python-2.0.43-1.fc8
libselinux-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-121.fc8
libselinux-2.0.43-1.fc8
selinux-policy-3.0.8-121.fc8
selinux-policy-devel-3.0.8-121.fc8


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Source Context:  system_u:system_r:tmpreaper_t:s0
Target Context:  unconfined_u:object_r:samba_share_t:s0
Target Objects:  ./kdecache-jim [ dir ]
Source:  tmpwatch
Source Path:  /usr/sbin/tmpwatch
Port:  <Unknown>
Host:  meteor
Source RPM Packages:  tmpwatch-2.9.11-2
Target RPM Packages:  
Policy RPM:  selinux-policy-3.0.8-121.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall_file
Host Name:  meteor
Platform:  Linux meteor 2.6.26.6-49.fc8 #1 SMP Fri Oct 17 15:33:32 EDT 2008 x86_64 x86_64
Alert Count:  5
First Seen:  Wed 05 Nov 2008 08:32:35 AM EST
Last Seen:  Mon 10 Nov 2008 09:00:02 AM EST
Local ID:  b27c6f61-f715-4f69-8f98-72e207cfc7cc
Line Numbers:  

Raw Audit Messages: 

host=meteor type=AVC msg=audit(1226325602.93:22): avc: denied { rmdir } for pid=3861 comm="tmpwatch" name="kdecache-jim" dev=dm-0 ino=31260718 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=dir 

host=meteor type=SYSCALL msg=audit(1226325602.93:22): arch=c000003e syscall=84 success=no exit=-13 a0=212e06b a1=402d48 a2=401431 a3=402f62 items=0 ppid=3858 pid=3861 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-11-10 14:52:46 EST
What directory do you have labeled samba_share_t?
Comment 2 Samster 2008-11-10 15:27:21 EST
/tmp/kde-jim/ksycoca -> /var/tmp/kdecache-jim/ksycoca
ksycoca: symbolic link to `/var/tmp/kdecache-jim/ksycoca'

kdecache-jim  within /var/tmp is labeled samba_share_t

-----------------------------------------------------

Within the kdecache-jim directory are two other files labeled samba_share_t:

drwx------  jim jim unconfined_u:object_r:samba_share_t:s0 help
-rw-rw-r--  jim jim unconfined_u:object_r:samba_share_t:s0 ksycoca

The 'help' directory is empty.
Comment 3 Daniel Walsh 2008-11-10 16:35:38 EST
Well then the question is do you want to allow tmpreaper to delete these files, if yes, you can update policy to allow it.

# grep samba_share_t /var/log/audit/audit.log | audit2allow -M mytmpreaper
# semodule -i mytmpreaper.pp

Or just delete the files/directory yourself.

Note You need to log in before you can comment on or make changes to this bug.