Bug 589408 - SELinux is preventing the getSystemId from using potentially mislabeled files (/tmp).
SELinux is preventing the getSystemId from using potentially mislabeled files...
Status: CLOSED DUPLICATE of bug 589402
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:8471a5a38f0...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-06 01:05 EDT by Naoki
Modified: 2010-05-06 03:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-06 03:47:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Naoki 2010-05-06 01:05:06 EDT
Summary:

SELinux is preventing the getSystemId from using potentially mislabeled files
(/tmp).

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied getSystemId access to potentially mislabeled file(s) (/tmp).
This means that SELinux will not allow getSystemId to use these files. It is
common for users to edit files in their home directory or tmp directories and
then move (mv) them to system directories. The problem is that the files end up
with the wrong file context which confined applications are not allowed to
access.

Allowing Access:

If you want getSystemId to access this files, you need to relabel them using
restorecon -v '/tmp'. You might want to relabel the entire directory using
restorecon -R -v '/tmp'.

Additional Information:

Source Context                unconfined_u:system_r:snmpd_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /tmp [ dir ]
Source                        getSystemId
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6-9.fc11
Target RPM Packages           filesystem-2.4.21-1.fc11
Policy RPM                    selinux-policy-3.6.12-69.fc11
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux (removed) 2.6.29.5-191.fc11.i586 #1
                              SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686
Alert Count                   4
First Seen                    Tue 04 Aug 2009 04:50:39 PM JST
Last Seen                     Tue 04 Aug 2009 04:50:39 PM JST
Local ID                      083927da-1aa7-47fe-8f5e-c747611f4cfb
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1249372239.183:19128): avc:  denied  { write } for  pid=16148 comm="getSystemId" name="tmp" dev=dm-0 ino=21594113 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1249372239.183:19128): avc:  denied  { add_name } for  pid=16148 comm="getSystemId" name="ffihON8a6" scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1249372239.183:19128): avc:  denied  { create } for  pid=16148 comm="getSystemId" name="ffihON8a6" scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1249372239.183:19128): avc:  denied  { read write open } for  pid=16148 comm="getSystemId" name="ffihON8a6" dev=dm-0 ino=21594211 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1249372239.183:19128): arch=40000003 syscall=5 success=yes exit=7 a0=bf873be0 a1=c2 a2=180 a3=11c75074 items=0 ppid=16147 pid=16148 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="getSystemId" exe="/usr/bin/python" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)



Hash String generated from  home_tmp_bad_labels,getSystemId,snmpd_t,tmp_t,dir,write
audit2allow suggests:

#============= snmpd_t ==============
#!!!! The source type 'snmpd_t' can write to a 'dir' of the following types:
# usr_t, var_t, var_lib_t, var_run_t, var_log_t, snmpd_var_lib_t, snmpd_var_run_t, root_t

allow snmpd_t tmp_t:dir { write add_name };
#!!!! The source type 'snmpd_t' can write to a 'file' of the following types:
# snmpd_log_t, snmpd_var_lib_t, snmpd_var_run_t, root_t

allow snmpd_t tmp_t:file { read write create open };
Comment 1 Miroslav Grepl 2010-05-06 03:47:04 EDT

*** This bug has been marked as a duplicate of bug 589402 ***

Note You need to log in before you can comment on or make changes to this bug.