Summary: SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpeNNc7d file descriptor. Detailed Description: [tzdata-update has a permissive type (tzdata_t). This access was not denied.] SELinux denied access requested by the tzdata-update command. It looks like this is either a leaked descriptor or tzdata-update output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmpeNNc7d. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:tzdata_t:s0-s0:c0.c1023 Target Context system_u:object_r:initrc_tmp_t:s0 Target Objects /tmp/tmpeNNc7d [ file ] Source tzdata-update Source Path /usr/sbin/tzdata-update Port <Unknown> Host (removed) Source RPM Packages glibc-common-2.12-1 Target RPM Packages Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux aklaptop 2.6.33.3-85.fc13.x86_64 #1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Thu 01 Jul 2010 10:21:40 PM EDT Last Seen Thu 01 Jul 2010 10:21:40 PM EDT Local ID aa20b990-850b-4cbd-bc42-894be025a80b Line Numbers Raw Audit Messages node=aklaptop type=AVC msg=audit(1278037300.305:45): avc: denied { read append } for pid=3428 comm="tzdata-update" path="/tmp/tmpeNNc7d" dev=dm-0 ino=140829 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file node=aklaptop type=AVC msg=audit(1278037300.305:45): avc: denied { read append } for pid=3428 comm="tzdata-update" path="/tmp/tmpeNNc7d" dev=dm-0 ino=140829 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file node=aklaptop type=SYSCALL msg=audit(1278037300.305:45): arch=c000003e syscall=59 success=yes exit=0 a0=55771c0 a1=7b477e0 a2=7d709b0 a3=1f items=0 ppid=3298 pid=3428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=system_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,tzdata-update,tzdata_t,initrc_tmp_t,file,read,append audit2allow suggests: #============= tzdata_t ============== allow tzdata_t initrc_tmp_t:file { read append };
Which process is running as initrc_t? ps -eZ | grep initrc_t
This bug was fixed by relabelling the filesystem. However, this was a fresh install of the Design Spin. I assume it is a bug of that spin. How do I move this bug to that product?
I just received this with a fresh install as well. No changes have been made to the system other than installing flash. This is F13 x86_64 downloaded from the fedora website.
After reboot, I received the popup again, so I ran the following: [tom@tom ~]$ ps -eZ |grep initrc system_u:system_r:initrc_t:s0-s0:c0.c1023 2181 ? 00:00:00 packagekitd [tom@tom ~]$
[root@BrokenDiamonds ~]# ps -eZ |grep initrc system_u:system_r:initrc_t:s0-s0:c0.c1023 17657 ? 00:00:09 packagekitd system_u:system_r:initrc_t:s0-s0:c0.c1023 17764 ? 00:04:00 yumBackend.py ------------------------------------------------------------------------ Fresh install made with a "vanilla" ISO of Fedora 13 amd64 (i.e., no spins/modifications/whatever).
I got this on an update. I'll try to track down package.
I olso have four bugs directly after fresh install Fedora 13 from a DVD at friday 9 juli 2010
*** This bug has been marked as a duplicate of bug 612327 ***
also see https://bugzilla.redhat.com/show_bug.cgi?id=612327 >Is it PackageKit or selinux-policy? For me it is signed with SELinux. I have a picture of de problems url=http://www.evarie.dse.nl/fedora13/SELinux.Troubleshoot_error-log.jpg In this picture, you can see that the error is coming form a temporary file at /tmp/tmpqddjbt And the error was came after my first fresh installed Fedora 13 on my Dell Optiplex GX260 with a internet connection. The picture has the text: SELinux blocked entry till a lekaged file write. SELinux belet /usr/sbin/semodule toegang tot een gelekte /tmp/tmpqddjbt bestands beschrijving. /sbin/setfiles/ /tmp/tmpqddjbt /usr/sbin/tzdata-update /tmp/tmpqddjbt /usr/sbin/groupadd /tmp/tmpqddjbt
That went on during the update immediate after the installation. My machine is Intel P45 with Nvidia PCI-E GC.
That went on during the last update (from 08.july.2010) immediate after install Fedora 13 on my computer. My machine is Intel P45 with Nvidia PCI-E GC.
Today SELinx again give this alert during the update process with the new updates (from today - 13.july.2010).
ps -eZ | grep packagekit ls -lZ /usr/libexec/packagekitd
(In reply to comment #13) > ps -eZ | grep packagekit system_u:system_r:initrc_t:s0-s0:c0.c1023 29739 ? 00:00:00 packagekitd > ls -lZ /usr/libexec/packagekitd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/packagekitd (No surprise there, I assume. I haven't used the workaround "chcon -t rpm_exec_t /usr/libexec/packagekitd" because it is more important that it is fixed in Fedora than on my machine.)
Ok, that is what is causing your problems though.
(In reply to comment #1) > Which process is running as initrc_t? > > ps -eZ | grep initrc_t system_u:system_r:initrc_t:s0 1377 ? 00:00:04 python system_u:system_r:initrc_t:s0 1469 ? 00:00:00 runuser system_u:system_r:initrc_t:s0 1471 ? 00:00:03 btseed system_u:system_r:initrc_t:s0 1483 ? 00:00:00 runuser system_u:system_r:initrc_t:s0 1485 ? 00:00:03 bttrack system_u:system_r:initrc_t:s0 1907 ? 00:00:00 cimserver system_u:system_r:initrc_t:s0 6375 ? 00:00:00 epmd system_u:system_r:initrc_t:s0 14197 ? 00:00:00 bash <defunct>
I am affected by this bug in the same manner as described by "comment 9" (fresh install of the Fedora Live CD). What is the full syntax of the command (below) to pass to fix this bug? [code]chcon -t rpm_exec_t /usr/libexec/packagekitd[/code]
Edit: Bug 612327 seems to be fixed.
F13 install from CDs create from Bit Torrent. I've just installed and I'm just running updates. Summary: SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpKQJeNN file descriptor. Detailed Description: [tzdata-update has a permissive type (tzdata_t). This access was not denied.] SELinux denied access requested by the tzdata-update command. It looks like this is either a leaked descriptor or tzdata-update output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmpKQJeNN. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:tzdata_t:s0-s0:c0.c1023 Target Context system_u:object_r:initrc_tmp_t:s0 Target Objects /tmp/tmpKQJeNN [ file ] Source tzdata-update Source Path /usr/sbin/tzdata-update Port <Unknown> Host (removed) Source RPM Packages glibc-common-2.12-1 Target RPM Packages Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux kong.zheming 2.6.33.3-85.fc13.i686.PAE #1 SMP Thu May 6 18:27:11 UTC 2010 i686 i686 Alert Count 6 First Seen Sun 15 Aug 2010 10:04:27 AM EDT Last Seen Sun 15 Aug 2010 10:05:48 AM EDT Local ID 0c8d7079-05a6-423f-9417-c35708b5bbae Line Numbers Raw Audit Messages node=kong.zheming type=AVC msg=audit(1281881148.254:22480): avc: denied { read append } for pid=2212 comm="tzdata-update" path="/tmp/tmpKQJeNN" dev=dm-0 ino=788676 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file node=kong.zheming type=AVC msg=audit(1281881148.254:22480): avc: denied { read append } for pid=2212 comm="tzdata-update" path="/tmp/tmpKQJeNN" dev=dm-0 ino=788676 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file node=kong.zheming type=SYSCALL msg=audit(1281881148.254:22480): arch=40000003 syscall=11 success=yes exit=0 a0=12192060 a1=115f18d0 a2=115fdec0 a3=0 items=0 ppid=1953 pid=2212 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=system_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)
I ran several Fedora updates today, after which I saw this error. Fedora wanted to automatically update 409 packages.
Maybe the solution is in the main Web page of Fedora Project, and this link: http://lists.fedoraproject.org/pipermail/announce/2010-July/002843.html After do that the system send me many updates and the problem don't be to appear in a long time.