Bug 511410 - crontab -e with vim causes SELinux denial.
crontab -e with vim causes SELinux denial.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-14 21:45 EDT by Stephen Thorne
Modified: 2009-07-15 09:41 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-15 09:41:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Thorne 2009-07-14 21:45:39 EDT
Description of problem:
SELinux denial writing to ~/.viminfo while using crontab -e

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. install vim-enhanced
2. $ export EDITOR=vim
3. $ crontab -e
4. modify the file
5. write the file
  
Actual results:
vim produces this error:
E138: Can't write viminfo file /home/sthorne/.viminfo!

Expected results:
Able to write to ~/.viminfo

Additional info:

Summary:

SELinux is preventing the vim from using potentially mislabeled files (v626066).

Detailed Description:

SELinux has denied vim access to potentially mislabeled file(s) (v626066). This
means that SELinux will not allow vim to use these files. It is common for users
to edit files in their home directory or tmp directories and then move (mv) them
to system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want vim to access this files, you need to relabel them using restorecon
-v 'v626066'. You might want to relabel the entire directory using restorecon -R
-v 'v626066'.

Additional Information:

Source Context                unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
                              .c1023
Target Context                unconfined_u:object_r:tmp_t:s0
Target Objects                v626066 [ dir ]
Source                        vim
Source Path                   /usr/bin/vim
Port                          <Unknown>
Host                          pearl.thorne.id.au
Source RPM Packages           vim-enhanced-7.2.148-1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     pearl.thorne.id.au
Platform                      Linux pearl.thorne.id.au
                              2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27
                              17:28:22 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 15 Jul 2009 11:42:12 EST
Last Seen                     Wed 15 Jul 2009 11:42:12 EST
Local ID                      fbaf4693-a524-4bb7-8368-dde844f4a99c
Line Numbers                  

Raw Audit Messages            

node=pearl.thorne.id.au type=AVC msg=audit(1247622132.291:26508): avc:  denied  { create } for  pid=3934 comm="vim" name="v626066" scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir

node=pearl.thorne.id.au type=SYSCALL msg=audit(1247622132.291:26508): arch=40000003 syscall=39 success=no exit=-13 a0=bfeafecc a1=1c0 a2=bfeafecc a3=0 items=0 ppid=3931 pid=3934 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts4 ses=1 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-07-15 09:41:49 EDT
Please update to the latest selinux policy

yum -y upgrade selinux-policy-targeted

You should probably update all of your packages.

This should be fixed there.

Note You need to log in before you can comment on or make changes to this bug.