Bug 610314 - SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpeNNc7d file descriptor.
SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpeNNc...
Status: CLOSED DUPLICATE of bug 612327
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:dc168eeb69b...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-01 22:26 EDT by Benjamin Kahn
Modified: 2012-05-21 17:24 EDT (History)
491 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-12 05:02:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Benjamin Kahn 2010-07-01 22:26:35 EDT
Summary:

SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpeNNc7d
file descriptor.

Detailed Description:

[tzdata-update has a permissive type (tzdata_t). This access was not denied.]

SELinux denied access requested by the tzdata-update command. It looks like this
is either a leaked descriptor or tzdata-update output was redirected to a file
it is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /tmp/tmpeNNc7d. You should generate a bugzilla on selinux-policy,
and it will get routed to the appropriate package. You can safely ignore this
avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:tzdata_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                /tmp/tmpeNNc7d [ file ]
Source                        tzdata-update
Source Path                   /usr/sbin/tzdata-update
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-common-2.12-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux aklaptop 2.6.33.3-85.fc13.x86_64 #1 SMP Thu
                              May 6 18:09:49 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 01 Jul 2010 10:21:40 PM EDT
Last Seen                     Thu 01 Jul 2010 10:21:40 PM EDT
Local ID                      aa20b990-850b-4cbd-bc42-894be025a80b
Line Numbers                  

Raw Audit Messages            

node=aklaptop type=AVC msg=audit(1278037300.305:45): avc:  denied  { read append } for  pid=3428 comm="tzdata-update" path="/tmp/tmpeNNc7d" dev=dm-0 ino=140829 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

node=aklaptop type=AVC msg=audit(1278037300.305:45): avc:  denied  { read append } for  pid=3428 comm="tzdata-update" path="/tmp/tmpeNNc7d" dev=dm-0 ino=140829 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

node=aklaptop type=SYSCALL msg=audit(1278037300.305:45): arch=c000003e syscall=59 success=yes exit=0 a0=55771c0 a1=7b477e0 a2=7d709b0 a3=1f items=0 ppid=3298 pid=3428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=system_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,tzdata-update,tzdata_t,initrc_tmp_t,file,read,append
audit2allow suggests:

#============= tzdata_t ==============
allow tzdata_t initrc_tmp_t:file { read append };
Comment 1 Miroslav Grepl 2010-07-07 06:19:16 EDT
Which process is running as initrc_t?

ps -eZ | grep initrc_t
Comment 2 Benjamin Kahn 2010-07-07 09:05:28 EDT
This bug was fixed by relabelling the filesystem.  However, this was a fresh install of the Design Spin.  I assume it is a bug of that spin.  How do I move this bug to that product?
Comment 3 Thomas Spear 2010-07-08 17:59:03 EDT
I just received this with a fresh install as well. No changes have been made to the system other than installing flash. This is F13 x86_64 downloaded from the fedora website.
Comment 4 Thomas Spear 2010-07-08 18:03:18 EDT
After reboot, I received the popup again, so I ran the following:

[tom@tom ~]$ ps -eZ |grep initrc
system_u:system_r:initrc_t:s0-s0:c0.c1023 2181 ? 00:00:00 packagekitd
[tom@tom ~]$
Comment 5 deadasalways 2010-07-08 20:53:42 EDT
[root@BrokenDiamonds ~]# ps -eZ |grep initrc
system_u:system_r:initrc_t:s0-s0:c0.c1023 17657 ? 00:00:09 packagekitd
system_u:system_r:initrc_t:s0-s0:c0.c1023 17764 ? 00:04:00 yumBackend.py
------------------------------------------------------------------------

Fresh install made with a "vanilla" ISO of Fedora 13 amd64 (i.e., no spins/modifications/whatever).
Comment 6 Jonathan 2010-07-09 06:00:33 EDT
I got this on an update. I'll try to track down package.
Comment 7 tevarij 2010-07-09 15:30:40 EDT
I olso have four bugs directly after fresh install Fedora 13 from a DVD at
friday 9 juli 2010
Comment 8 Miroslav Grepl 2010-07-12 05:02:27 EDT

*** This bug has been marked as a duplicate of bug 612327 ***
Comment 9 evarie 2010-07-12 12:25:04 EDT
also see https://bugzilla.redhat.com/show_bug.cgi?id=612327


>Is it PackageKit or selinux-policy?


For me it is signed with SELinux.
I have a picture of de problems url=http://www.evarie.dse.nl/fedora13/SELinux.Troubleshoot_error-log.jpg

In this picture, you can see that the error is coming
form a temporary file at /tmp/tmpqddjbt

And the error was came after my first fresh installed Fedora 13 on my Dell Optiplex GX260 with a internet connection.

The picture has the text:
SELinux blocked entry till a lekaged file write.

SELinux belet  /usr/sbin/semodule toegang tot een gelekte /tmp/tmpqddjbt bestands beschrijving. 

/sbin/setfiles/     /tmp/tmpqddjbt

/usr/sbin/tzdata-update    /tmp/tmpqddjbt

/usr/sbin/groupadd         /tmp/tmpqddjbt
Comment 10 Filip Hristov 2010-07-12 21:43:30 EDT
That went on during the update immediate after the installation.
My machine is Intel P45 with Nvidia PCI-E GC.
Comment 11 Filip Hristov 2010-07-12 22:06:14 EDT
That went on during the last update (from 08.july.2010) immediate after install Fedora 13 on my computer.
My machine is Intel P45 with Nvidia PCI-E GC.
Comment 12 Filip Hristov 2010-07-13 18:16:21 EDT
Today SELinx again give this alert during the update process with the new updates (from today - 13.july.2010).
Comment 13 Daniel Walsh 2010-07-14 08:42:04 EDT
ps -eZ | grep packagekit
ls -lZ /usr/libexec/packagekitd
Comment 14 Mads Kiilerich 2010-07-14 09:20:46 EDT
(In reply to comment #13)
> ps -eZ | grep packagekit

system_u:system_r:initrc_t:s0-s0:c0.c1023 29739 ? 00:00:00 packagekitd

> ls -lZ /usr/libexec/packagekitd    

-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/libexec/packagekitd

(No surprise there, I assume. I haven't used the workaround "chcon -t rpm_exec_t /usr/libexec/packagekitd" because it is more important that it is fixed in Fedora than on my machine.)
Comment 15 Daniel Walsh 2010-07-14 09:23:42 EDT
Ok, that is what is causing your problems though.
Comment 16 Robert Martin 2010-07-15 03:35:31 EDT
(In reply to comment #1)
> Which process is running as initrc_t?
> 
> ps -eZ | grep initrc_t    

system_u:system_r:initrc_t:s0    1377 ?        00:00:04 python
system_u:system_r:initrc_t:s0    1469 ?        00:00:00 runuser
system_u:system_r:initrc_t:s0    1471 ?        00:00:03 btseed
system_u:system_r:initrc_t:s0    1483 ?        00:00:00 runuser
system_u:system_r:initrc_t:s0    1485 ?        00:00:03 bttrack
system_u:system_r:initrc_t:s0    1907 ?        00:00:00 cimserver
system_u:system_r:initrc_t:s0    6375 ?        00:00:00 epmd
system_u:system_r:initrc_t:s0   14197 ?        00:00:00 bash <defunct>
Comment 17 nomnex 2010-08-11 19:39:47 EDT
I am affected by this bug in the same manner as described by "comment 9" (fresh install of the Fedora Live CD).

What is the full syntax of the command (below) to pass to fix this bug?

[code]chcon -t
rpm_exec_t /usr/libexec/packagekitd[/code]
Comment 18 nomnex 2010-08-11 19:42:53 EDT
Edit: Bug 612327 seems to be fixed.
Comment 19 James DeCambra 2010-08-15 11:03:19 EDT
F13 install from CDs create from Bit Torrent.  I've just installed and I'm just running updates.  


Summary:

SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpKQJeNN
file descriptor.

Detailed Description:

[tzdata-update has a permissive type (tzdata_t). This access was not denied.]

SELinux denied access requested by the tzdata-update command. It looks like this
is either a leaked descriptor or tzdata-update output was redirected to a file
it is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /tmp/tmpKQJeNN. You should generate a bugzilla on selinux-policy,
and it will get routed to the appropriate package. You can safely ignore this
avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:tzdata_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                /tmp/tmpKQJeNN [ file ]
Source                        tzdata-update
Source Path                   /usr/sbin/tzdata-update
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-common-2.12-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux kong.zheming 2.6.33.3-85.fc13.i686.PAE #1
                              SMP Thu May 6 18:27:11 UTC 2010 i686 i686
Alert Count                   6
First Seen                    Sun 15 Aug 2010 10:04:27 AM EDT
Last Seen                     Sun 15 Aug 2010 10:05:48 AM EDT
Local ID                      0c8d7079-05a6-423f-9417-c35708b5bbae
Line Numbers                  

Raw Audit Messages            

node=kong.zheming type=AVC msg=audit(1281881148.254:22480): avc:  denied  { read append } for  pid=2212 comm="tzdata-update" path="/tmp/tmpKQJeNN" dev=dm-0 ino=788676 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

node=kong.zheming type=AVC msg=audit(1281881148.254:22480): avc:  denied  { read append } for  pid=2212 comm="tzdata-update" path="/tmp/tmpKQJeNN" dev=dm-0 ino=788676 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

node=kong.zheming type=SYSCALL msg=audit(1281881148.254:22480): arch=40000003 syscall=11 success=yes exit=0 a0=12192060 a1=115f18d0 a2=115fdec0 a3=0 items=0 ppid=1953 pid=2212 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=system_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)
Comment 20 Mike Eskenazi 2010-08-18 14:15:33 EDT
I ran several Fedora updates today, after which I saw this error.  Fedora wanted to automatically update 409 packages.
Comment 21 José Martínez 2010-08-18 17:17:37 EDT
Maybe the solution is in the main Web page of Fedora Project, and this link: http://lists.fedoraproject.org/pipermail/announce/2010-July/002843.html

After do that the system send me many updates and the problem don't be to appear in a long time.

Note You need to log in before you can comment on or make changes to this bug.