Bug 567454 - SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpNJCaKB file descriptor.
Summary: SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpNJCa...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:0c310a1715c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-23 00:42 UTC by Michael S.
Modified: 2014-01-21 06:16 UTC (History)
23 users (show)

Fixed In Version: selinux-policy-3.7.19-23.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-06 13:22:20 UTC


Attachments (Terms of Use)
ausearch -m avc -ts recent (1.78 KB, text/plain)
2010-06-28 12:35 UTC, James Laska
no flags Details
tz ausearch (1.78 KB, text/plain)
2010-07-05 18:36 UTC, Frank Murphy
no flags Details

Description Michael S. 2010-02-23 00:42:42 UTC
Résumé:

SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpNJCaKB
file descriptor.

Description détaillée:

[tzdata-update a un type permissif (tzdata_t). Cet accès n'a pas été
refusé.]

SELinux denied access requested by the tzdata-update command. It looks like this
is either a leaked descriptor or tzdata-update output was redirected to a file
it is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /tmp/tmpNJCaKB. You should generate a bugzilla on selinux-policy,
and it will get routed to the appropriate package. You can safely ignore this
avc.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Informations complémentaires:

Contexte source               unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
Contexte cible                unconfined_u:object_r:tmp_t:s0
Objets du contexte            /tmp/tmpNJCaKB [ file ]
source                        tzdata-update
Chemin de la source           /usr/sbin/tzdata-update
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         glibc-common-2.11.90-12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.7.9-4.fc13
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 leaks
Nom de l'hôte                (removed)
Plateforme                    Linux (removed)
                              2.6.33-0.44.rc8.git0.fc13.i686.PAE #1 SMP Sat Feb
                              13 02:29:36 UTC 2010 i686 i686
Compteur d'alertes            4
Première alerte              mar. 23 févr. 2010 01:38:14 CET
Dernière alerte              mar. 23 févr. 2010 01:38:15 CET
ID local                      5bfb9513-125e-499e-858e-677a3e457c1b
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1266885495.204:24851): avc:  denied  { read append } for  pid=6724 comm="tzdata-update" path="/tmp/tmpNJCaKB" dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1266885495.204:24851): avc:  denied  { read append } for  pid=6724 comm="tzdata-update" path="/tmp/tmpNJCaKB" dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1266885495.204:24851): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=b6cc618 a1=b6cc600 a2=bf827ed0 a3=ffffffff items=0 ppid=6642 pid=6724 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,tzdata-update,tzdata_t,tmp_t,file,read,append
audit2allow suggests:

#============= tzdata_t ==============
allow tzdata_t tmp_t:file { read append };

Comment 1 Michael S. 2010-02-23 00:47:48 UTC
It occured when building a package with mock, using fedora cvs makefile on autogen, for F-13 :
cvs/autogen/F-13 $ make mockbuild


the build failed, but I think that's not related to this error.

Comment 2 Daniel Walsh 2010-02-23 14:37:37 UTC
Miroslav we are going to need a policy for mock.

Comment 3 Fedora Update System 2010-03-12 19:44:04 UTC
selinux-policy-3.7.14-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-1.fc13

Comment 4 Fedora Update System 2010-03-14 13:37:52 UTC
selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-3.fc13

Comment 5 Fedora Update System 2010-03-20 03:34:10 UTC
selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Mathieu Bridon 2010-05-24 00:45:02 UTC
This still happens with selinux-policy-3.7.19-15.fc13.noarch.

Note that as mentioned in the original report, SELinux doesn't actually deny anything:
[tzdata-update a un type permissif (tzdata_t). Cet accès n'a pas été refusé.]

This is rather annoying though. May I reopen the bug?

Comment 7 Daniel Walsh 2010-05-25 15:17:11 UTC
Please attach the lates avc information, to make sure you are seeing the same problem.

Comment 8 Michael S. 2010-05-25 17:49:22 UTC
Here it is :


Résumé:

SELinux empêche /usr/sbin/tzdata-update d'accéder au descripteur de fichier
compromis /tmp/tmpv5fHOU.

Description détaillée:

[tzdata-update a un type permissif (tzdata_t). Cet accès n'a pas été
refusé.]

SELinux a refusé l'accès requis par la commande tzdata-update. Il se pourrait
que ce soit un descripteur «fuité» ou bien que la sortie de tzdata-update
soit redirigée vers un fichier interdit d'accès. Les fuites peuvent
généralement être ignorées puisque SELinux referme ces fuites et rapporte
l'erreur. L'application n'utilise pas le descripteur, il fonctionnera donc
correctement. Si c'est une redirection, vous n'aurez pas de sortie dans
/tmp/tmpv5fHOU. Vous devriez signaler un bug à bugzilla sur selinux-policy et
il sera redirigé vers le paquet approprié. Vous pouvez en toute sécurité
ignorer

Autoriser l'accès:

Vous pouvez générer un module de politique de sécurité local afin
d'autoriser cet accès - voir FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Informations complémentaires:

Contexte source               unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
Contexte cible                unconfined_u:object_r:tmp_t:s0
Objets du contexte            /tmp/tmpv5fHOU [ file ]
source                        tzdata-update
Chemin de la source           /usr/sbin/tzdata-update
Port                          <Inconnu>
Hôte                         akroma.ephaone.org
Paquetages RPM source         glibc-common-2.12-1
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.7.19-15.fc13
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 leaks
Nom de l'hôte                akroma.ephaone.org
Plateforme                    Linux akroma.ephaone.org 2.6.33.2-57.fc13.i686.PAE
                              #1 SMP Tue Apr 20 08:58:17 UTC 2010 i686 i686
Compteur d'alertes            8
Première alerte              mar. 23 févr. 2010 01:38:14 CET
Dernière alerte              mar. 25 mai 2010 19:44:39 CEST
ID local                      5bfb9513-125e-499e-858e-677a3e457c1b
Numéros des lignes           

Messages d'audit bruts        

node=akroma.ephaone.org type=AVC msg=audit(1274809479.889:118): avc:  denied  { read append } for  pid=20198 comm="tzdata-update" path="/tmp/tmpv5fHOU" dev=dm-1 ino=13761 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=akroma.ephaone.org type=AVC msg=audit(1274809479.889:118): avc:  denied  { read append } for  pid=20198 comm="tzdata-update" path="/tmp/tmpv5fHOU" dev=dm-1 ino=13761 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=akroma.ephaone.org type=SYSCALL msg=audit(1274809479.889:118): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=a58e8d0 a1=a575dd0 a2=bf862160 a3=ffffffff items=0 ppid=20114 pid=20198 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)

Comment 9 Miroslav Grepl 2010-05-26 14:08:54 UTC
Dan, 
we do not audit it in F12.

Comment 10 Daniel Walsh 2010-05-26 20:21:19 UTC
Fixed in selinux-policy-3.7.19-22.fc13.noarch

Comment 11 Fedora Update System 2010-05-28 12:27:39 UTC
selinux-policy-3.7.19-22.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13

Comment 12 Fedora Update System 2010-05-31 18:19:38 UTC
selinux-policy-3.7.19-22.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13

Comment 13 Fedora Update System 2010-06-02 18:11:31 UTC
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-23.fc13

Comment 14 Fedora Update System 2010-06-08 19:26:09 UTC
selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 James Laska 2010-06-21 13:11:30 UTC
I still am hitting this bug when using selinux-policy-3.7.19-28.fc13.noarch

Are other changes required to resolve the reported issue?

Comment 16 Daniel Walsh 2010-06-21 13:17:38 UTC
Could you attach the latest "ausearch -m avc -ts recent" output.

Comment 17 James Laska 2010-06-23 12:41:12 UTC
(In reply to comment #16)
> Could you attach the latest "ausearch -m avc -ts recent" output.    

Odd, I'm not seeing it anymore.  I've had selinux-policy-3.7.19-28.fc13 installed since Tue 15 Jun 2010.  Of course, I accidentally deleted the AVC so 'ausearch' shows nothing.  I'll update the bug if this AVC returns.

Comment 18 James Laska 2010-06-28 12:35:49 UTC
Created attachment 427396 [details]
ausearch -m avc -ts recent

(In reply to comment #16)
> Could you attach the latest "ausearch -m avc -ts recent" output.    

See attached output from ...

$ ausearch -m avc -ts recent

Comment 19 Daniel Walsh 2010-06-28 13:49:51 UTC
The strange part is the tmp file is labeled tmp_t?  If a user process created it, it would be user_tmp_t, rpm creates rpm_tmp_t, init scripts create initrc_tmp_t.


Any idea what is triggering this?

Comment 20 Frank Murphy 2010-07-05 18:36:00 UTC
Created attachment 429581 [details]
tz ausearch

Comment 21 Frank Murphy 2010-07-05 18:37:36 UTC
(In reply to comment #20)
> Created an attachment (id=429581) [details]
> tz ausearch    

x86_64 box

selinux-policy-3.7.19-33.fc13.noarch
mock-1.1.1-1.fc13.noarch

Comment 22 Daniel Walsh 2010-07-12 19:24:09 UTC
Were you using func or puppet to do an update?

Comment 23 Frank Murphy 2010-07-12 19:27:54 UTC
I don't have either installed.
I just update with yum host & guests.

Comment 24 Daniel Walsh 2010-07-12 21:14:17 UTC
Ok you are using mock though?

Comment 25 Frank Murphy 2010-07-12 21:22:00 UTC
(In reply to comment #24)
> Ok you are using mock though?    


Using mock on the host.

Comment 26 Daniel Walsh 2010-07-13 13:13:54 UTC
This is being triggered by the mislabeled packagekitd.

chcon -t rpm_exec_t /usr/libexec/packagekitd

Should fix the problem until the new selinux-policy package gets released.

Comment 27 Miroslav Grepl 2010-07-19 10:23:40 UTC
selinux-policy-3.7.19-37.fc13 has been pushed to the Fedora 13 testing
repository.  If problems still persist, please make note of it in this bug
report.

If you want to test the update, you can install it with 

su -c 'yum --enablerepo=updates-testing update selinux-policy'.  

You can provide feedback for this update here:
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-37.fc13

Comment 28 Magnus Tuominen 2010-07-22 17:22:53 UTC
Summary:

SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpmgFivi
file descriptor.

Detailed Description:

[tzdata-update has a permissive type (tzdata_t). This access was not denied.]

SELinux denied access requested by the tzdata-update command. It looks like this
is either a leaked descriptor or tzdata-update output was redirected to a file
it is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /tmp/tmpmgFivi. You should generate a bugzilla on selinux-policy,
and it will get routed to the appropriate package. You can safely ignore this
avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:tmp_t:s0
Target Objects                /tmp/tmpmgFivi [ file ]
Source                        tzdata-update
Source Path                   /usr/sbin/tzdata-update
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-common-2.12-3
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-37.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux megatron 2.6.33.6-147.fc13.x86_64 #1 SMP Tue
                              Jul 6 22:32:17 UTC 2010 x86_64 x86_64
Alert Count                   8
First Seen                    Thu 22 Jul 2010 05:23:05 PM EEST
Last Seen                     Thu 22 Jul 2010 05:46:30 PM EEST
Local ID                      05b013fa-f302-4165-bee4-887d4de3101d
Line Numbers                  

Raw Audit Messages            

node=megatron type=AVC msg=audit(1279809990.89:25247): avc:  denied  { read append } for  pid=2937 comm="tzdata-update" path="/tmp/tmpmgFivi" dev=sda2 ino=67183 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=megatron type=AVC msg=audit(1279809990.89:25247): avc:  denied  { read append } for  pid=2937 comm="tzdata-update" path="/tmp/tmpmgFivi" dev=sda2 ino=67183 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=megatron type=SYSCALL msg=audit(1279809990.89:25247): arch=c000003e syscall=59 per=8 success=yes exit=0 a0=4de42b0 a1=6423720 a2=7fff8f1296c0 a3=fffffff8 items=0 ppid=2925 pid=2937 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)

using
mock-1.1.1-1.fc13.noarch

Comment 29 Alex Lancaster 2010-07-29 06:17:30 UTC
I am still getting this selinux warning with:

rpm -q selinux-policy
selinux-policy-3.7.19-39.fc13.noarch

Comment 30 Daniel Walsh 2010-07-29 14:41:55 UTC
This fix will not fix the mock issue.  We are working fixed for mock/yum/rpm/selinux-policy to allow mock to run without generating AVCs and putting down labels.  I am not sure if this has made its way into Rawhide yet.

You can add a local policy to dontaudit this AVC.

Comment 31 Fedora Admin XMLRPC Client 2010-11-08 21:51:34 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 32 Fedora Admin XMLRPC Client 2010-11-08 21:52:55 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 33 Fedora Admin XMLRPC Client 2010-11-08 21:55:30 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 34 Bug Zapper 2011-06-02 16:26:43 UTC
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.