Bug 561137 - SELinux is preventing the 0logwatch from using potentially mislabeled files (/root).
Summary: SELinux is preventing the 0logwatch from using potentially mislabeled files (...
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ec122a4c6a1...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-02 19:50 UTC by Mr.G
Modified: 2010-02-23 23:42 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-02-23 23:42:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mr.G 2010-02-02 19:50:47 UTC 
Summary:

SELinux is preventing the 0logwatch from using potentially mislabeled files
(/root).

Detailed Description:

[0logwatch has a permissive type (logwatch_t). This access was not denied.]

SELinux has denied 0logwatch access to potentially mislabeled file(s) (/root).
This means that SELinux will not allow 0logwatch to use these files. It is
common for users to edit files in their home directory or tmp directories and
then move (mv) them to system directories. The problem is that the files end up
with the wrong file context which confined applications are not allowed to
access.

Allowing Access:

If you want 0logwatch to access this files, you need to relabel them using
restorecon -v '/root'. You might want to relabel the entire directory using
restorecon -R -v '/root'.

Additional Information:

Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        0logwatch
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.10.0-74.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-74.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux localhost.localdomain
                              2.6.27.41-170.2.117.fc10.i686 #1 SMP Thu Dec 10
                              11:00:29 EST 2009 i686 i686
Alert Count                   1
First Seen                    Thu 28 Jan 2010 06:23:54 AM EST
Last Seen                     Thu 28 Jan 2010 06:23:54 AM EST
Local ID                      12c7598d-3474-411e-9fb1-1db6bffff780
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1264677834.343:89): avc:  denied  { read } for  pid=4091 comm="0logwatch" path="/root" dev=dm-0 ino=131073 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=localhost.localdomain type=SYSCALL msg=audit(1264677834.343:89): arch=40000003 syscall=11 success=yes exit=0 a0=9308308 a1=93081e0 a2=9308038 a3=0 items=0 ppid=4050 pid=4091 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="0logwatch" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.5.13-74.fc10,home_tmp_bad_labels,0logwatch,logwatch_t,admin_home_t,dir,read
audit2allow suggests:

#============= logwatch_t ==============
allow logwatch_t admin_home_t:dir read;
Comment 1 Daniel Walsh 2010-02-02 21:36:20 UTC 
For some reason you have logwatch attempting to list the contents of the /root directory.  Did you modify the system to do this?
Comment 2 Daniel Walsh 2010-02-23 23:42:07 UTC 

*** This bug has been marked as a duplicate of bug 538428 ***
Note You need to log in before you can comment on or make changes to this bug.