Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 594588 - SELinux is preventing /sbin/load_policy "read" access on /tmp/tmpcX4AQA.
SELinux is preventing /sbin/load_policy "read" access on /tmp/tmpcX4AQA.
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:fe9e5d319fa...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-21 00:49 EDT by GoinEasy9
Modified: 2010-12-23 05:50 EST (History)
31 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-24 10:38:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
yum -y update output and yum.log (33.99 KB, text/plain)
2010-08-20 17:24 EDT, Magnus Glantz
no flags Details
selinux output (2.71 KB, text/plain)
2010-08-20 17:25 EDT, Magnus Glantz
no flags Details
uname -a, /var/log/messages, dmesg output, rpm -qa (55.15 KB, text/plain)
2010-08-20 17:49 EDT, Magnus Glantz
no flags Details
/var/log/messages, same issue occurring, different occation (11.54 KB, text/plain)
2010-08-20 18:08 EDT, Magnus Glantz
no flags Details
ps -eZ|grep yum, ps -eZ|grep initrc_t, yum.log during 'yum update', plus packagekit labels. (21.75 KB, text/plain)
2010-08-23 11:32 EDT, Magnus Glantz
no flags Details

  None (edit)
Description GoinEasy9 2010-05-21 00:49:57 EDT
Summary:

SELinux is preventing /sbin/load_policy "read" access on /tmp/tmpcX4AQA.

Detailed Description:

[load_policy has a permissive type (load_policy_t). This access was not denied.]

SELinux denied access requested by load_policy. It is not expected that this
access is required by load_policy and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /tmp/tmpcX4AQA [ file ]
Source                        load_policy
Source Path                   /sbin/load_policy
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-13.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.34-2.fc14.i686.PAE #1 SMP
                              Mon May 17 03:51:24 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Fri 21 May 2010 12:35:24 AM EDT
Last Seen                     Fri 21 May 2010 12:35:24 AM EDT
Local ID                      78a68eaf-92f6-4e20-ae97-e1cbcc07d2b3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274416524.409:23): avc:  denied  { read } for  pid=3017 comm="load_policy" path="/tmp/tmpcX4AQA" dev=sda2 ino=9072 scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1274416524.409:23): avc:  denied  { read } for  pid=3017 comm="load_policy" path="/tmp/tmpcX4AQA" dev=sda2 ino=9072 scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274416524.409:23): arch=40000003 syscall=11 success=yes exit=0 a0=23c1190 a1=b99d138 a2=0 a3=0 items=0 ppid=3011 pid=3017 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,load_policy,load_policy_t,user_tmp_t,file,read
audit2allow suggests:

#============= load_policy_t ==============
allow load_policy_t user_tmp_t:file read;
Comment 1 Daniel Walsh 2010-05-21 07:48:07 EDT
This looks like a leak.  Any idea which tool you were using when this happened?  Some kind of install program.  It can safely be ignored.
Comment 2 GoinEasy9 2010-05-21 13:16:46 EDT
It happened during updates, specifically when selinux-policy was updating.  Ok, shall be ignored.
Comment 3 Daniel Walsh 2010-05-24 11:37:26 EDT
What tool were you using for updates?  Packagekit?
Comment 4 GoinEasy9 2010-05-24 12:57:12 EDT
No, Yum update.
Comment 5 Daniel Walsh 2010-05-24 13:54:13 EDT
Ok, I have not idea why this happened.  If it happens again reopen the bug.
Comment 6 GoinEasy9 2010-05-24 14:07:35 EDT
This particular notification did not happen again.  Other notifications that occurred during the same update and involve SELinux and /var/spool/abrt are still happening and I'm discussing them in 595036.

Thank You for your help.
Comment 7 Magnus Glantz 2010-08-20 17:19:33 EDT
I keep getting this in F13 (x86_64), latest updates applied.
Most recently I got it running 'yum -y update' a couple of minutes ago.
I'll attach a transaction log of what was updated.
Comment 8 Magnus Glantz 2010-08-20 17:24:43 EDT
Created attachment 440055 [details]
yum -y update output and yum.log
Comment 9 Magnus Glantz 2010-08-20 17:25:29 EDT
Created attachment 440056 [details]
selinux output
Comment 10 Magnus Glantz 2010-08-20 17:49:47 EDT
Created attachment 440057 [details]
uname -a, /var/log/messages, dmesg output, rpm -qa
Comment 11 Magnus Glantz 2010-08-20 18:06:19 EDT
To be noted, I haven't seen any ill effects from this for as long as I've had this issue. I've had this issue 6 times as of yet. 

I found the /var/log/messages output from the time before this one. I'll attach that as well. At that time it was also software updates that triggered it.
Comment 12 Magnus Glantz 2010-08-20 18:08:14 EDT
Created attachment 440061 [details]
/var/log/messages, same issue occurring, different occation
Comment 13 Daniel Walsh 2010-08-21 06:25:10 EDT
What label is on yum?

 ls -lZ /usr/bin/yum
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0  /usr/bin/yum
Comment 14 Magnus Glantz 2010-08-23 04:52:29 EDT
It's the same..
$  ls -lZ /usr/bin/yum
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0  /usr/bin/yum

I've e-mailed you a sosreport from my machine.
Comment 17 Daniel Walsh 2010-08-23 09:42:03 EDT
What does

ps -eZ | grep initrc_t

Return.


What label does packagekit run as?
Comment 18 Daniel Walsh 2010-08-23 09:43:37 EDT
If you do yum update

And don't answer the question, what context is it running as

ps -eZ | grep yum
Comment 19 Magnus Glantz 2010-08-23 11:30:02 EDT
ps -eZ|grep initrc_t doesn't return anything, not during normal operation or during 'yum update'. 

Attaching packagekit labels.

I just ran 'yum update', attaching yum.log, ps -eZ|grep initrc_t, ps -ef|grep yum from when that was done. No issues detected by abrt though.
Comment 20 Magnus Glantz 2010-08-23 11:32:22 EDT
Created attachment 440414 [details]
ps -eZ|grep yum, ps -eZ|grep initrc_t, yum.log during 'yum update', plus packagekit labels.
Comment 21 Magnus Glantz 2010-08-23 11:34:58 EDT
I mean.. no issues seen in SELinux Security Alerts.
Comment 22 Daniel Walsh 2010-08-23 16:09:35 EDT
So you are no longer seeing the avc's concerning initrc_tmp_t?
Comment 23 Magnus Glantz 2010-08-23 19:48:33 EDT
Correct, though, I'm afraid the issue is intermittent, it doesn't occur on each 'yum update'. This month I've had it on perhaps 2-3 occasions, but I've run 'yum update' 7-8 times perhaps.

I'll keep logging ps -eZ output when I do update any software. 
Is there any debugging that I can turn on that would prove helpful? Running strace on yum update when I do update?
Comment 24 Daniel Walsh 2010-08-24 10:38:07 EDT
Ok reopen if this happens again.

Note You need to log in before you can comment on or make changes to this bug.