Summary: SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpRWqqk1 file descriptor. Detailed Description: [tzdata-update has a permissive type (tzdata_t). This access was not denied.] SELinux denied access requested by the tzdata-update command. It looks like this is either a leaked descriptor or tzdata-update output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmpRWqqk1. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:tmp_t:s0 Target Objects /tmp/tmpRWqqk1 [ file ] Source tzdata-update Source Path /usr/sbin/tzdata-update Port <Unknown> Host (removed) Source RPM Packages glibc-common-2.11.1-1 Target RPM Packages Policy RPM selinux-policy-3.6.32-103.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Thu 25 Mar 2010 01:26:48 AM EDT Last Seen Thu 25 Mar 2010 01:26:48 AM EDT Local ID eb923a66-e5bc-47fd-8a82-88209db2d20e Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1269494808.645:41732): avc: denied { read write } for pid=17681 comm="tzdata-update" path="/tmp/tmpRWqqk1" dev=dm-0 ino=8327 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=(removed) type=AVC msg=audit(1269494808.645:41732): avc: denied { read write } for pid=17681 comm="tzdata-update" path="/tmp/tmpRWqqk1" dev=dm-0 ino=8327 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1269494808.645:41732): arch=c000003e syscall=59 success=yes exit=0 a0=6f7ea00 a1=5c221b0 a2=7fff3db85960 a3=fffffff8 items=0 ppid=17459 pid=17681 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,tzdata-update,tzdata_t,tmp_t,file,read,write audit2allow suggests: #============= tzdata_t ============== allow tzdata_t tmp_t:file { read write };
What tools were you using when this AVC was created? Were you installing software?
(In reply to comment #1) > What tools were you using when this AVC was created? Were you installing > software? Yes, I was using mock to test build a package using a separate user "build".
We are working on a mock environment with SELinux which should be added in F13 and Rawhide next month. Currently they do not work well together.
Couldn't this be dontaudit-ed in F-12 to avoid it popping up in setroubleshoot after every mock build?
Paul, I think there are lots of other AVC messages that will be generated within mock also. So I am not sure we can get them all. But Miroslav can you add a dontaudit.
Maybe, but I'm doing a lot of mock builds every day and that's the only one I'm seeing at the moment.
Fixed in selinux-policy-3.6.32-110.fc12
selinux-policy-3.6.32-110.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
I'm still getting these on F-12 despite having updated to -110 on 14th April. Summary: SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpKRqDj_ file descriptor. Detailed Description: [tzdata-update has a permissive type (tzdata_t). This access was not denied.] SELinux denied access requested by the tzdata-update command. It looks like this is either a leaked descriptor or tzdata-update output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmpKRqDj_. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:tmp_t:s0 Target Objects /tmp/tmpKRqDj_ [ file ] Source tzdata-update Source Path /usr/sbin/tzdata-update Port <Unknown> Host zion.intra.city-fan.org Source RPM Packages glibc-common-2.11.1-4 Target RPM Packages Policy RPM selinux-policy-3.6.32-110.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name zion.intra.city-fan.org Platform Linux zion.intra.city-fan.org 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Alert Count 44 First Seen Thu 22 Apr 2010 11:39:36 BST Last Seen Thu 22 Apr 2010 13:07:13 BST Local ID 58ad0d08-1ce1-4a6c-91f5-9748e15bcbc4 Line Numbers Raw Audit Messages node=zion.intra.city-fan.org type=AVC msg=audit(1271938033.177:35883): avc: denied { read write } for pid=23153 comm="tzdata-update" path="/tmp/tmpKRqDj_" dev=dm-19 ino=612 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=zion.intra.city-fan.org type=AVC msg=audit(1271938033.177:35883): avc: denied { read write } for pid=23153 comm="tzdata-update" path="/tmp/tmpKRqDj_" dev=dm-19 ino=612 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=zion.intra.city-fan.org type=SYSCALL msg=audit(1271938033.177:35883): arch=c000003e syscall=59 per=8 success=yes exit=0 a0=611b4d0 a1=5988ec0 a2=7fff88d61c90 a3=fffffff8 items=0 ppid=31484 pid=23153 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=949 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)
You are right, I apologize. Fixed in selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
This happens every time I run mock builds for F12. Although access is not denied it still prompts an AVC warning. Summary: SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpxuzwct file descriptor. Detailed Description: [tzdata-update has a permissive type (tzdata_t). This access was not denied.] SELinux denied access requested by the tzdata-update command. It looks like this is either a leaked descriptor or tzdata-update output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmpxuzwct. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:tmp_t:s0 Target Objects /tmp/tmpxuzwct [ file ] Source tzdata-update Source Path /usr/sbin/tzdata-update Port <Unknown> Host (removed) Source RPM Packages glibc-common-2.11.1-4 Target RPM Packages Policy RPM selinux-policy-3.6.32-110.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux kb3bjf.ham-radio-op.net 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 12 First Seen Mon 12 Apr 2010 02:19:49 AM EDT Last Seen Fri 30 Apr 2010 12:02:32 AM EDT Local ID 4cf2d749-ce54-4629-8fcb-b2b4fa4f10f7 Line Numbers Raw Audit Messages node=kb3bjf.ham-radio-op.net type=AVC msg=audit(1272600152.431:412): avc: denied { read write } for pid=1572 comm="tzdata-update" path="/tmp/tmpxuzwct" dev=dm-0 ino=17321 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=kb3bjf.ham-radio-op.net type=AVC msg=audit(1272600152.431:412): avc: denied { read write } for pid=1572 comm="tzdata-update" path="/tmp/tmpxuzwct" dev=dm-0 ino=17321 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=kb3bjf.ham-radio-op.net type=SYSCALL msg=audit(1272600152.431:412): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=c6a7600 a1=c677ff0 a2=bfadad50 a3=ffffffff items=0 ppid=1450 pid=1572 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)
Please update your selinux-policy yum --enablerepo=updates-testing update selinux-policy-targeted
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.