698977 – SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /.

Bug 698977 - SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /.

Summary: SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the director...

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:be815c1d483...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-22 13:38 UTC by Clyde E. Kunkel
Modified:	2011-11-21 16:41 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-21 16:41:53 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Clyde E. Kunkel 2011-04-22 13:38:49 UTC

SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow tmpwatch to have read access on the  directory
Then you need to change the label on /
Do
# semanage fcontext -a -t FILE_TYPE '/'
where FILE_TYPE is one of the following: textrel_shlib_t, httpd_cache_t, sandbox_file_t, var_lib_t, user_home_type, kismet_log_t, var_run_t, rpm_var_cache_t, home_root_t, tmpreaper_t, print_spool_t, amavis_spool_t, sysctl_crypto_t, man_t, user_home_dir_t, abrt_t, lib_t, root_t, device_t, usr_t, locale_t, etc_t, tmpfile, device_t, etc_t. 
Then execute: 
restorecon -v '/'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that tmpwatch should be allowed read access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
Target Context                system_u:object_r:mnt_t:s0
Target Objects                / [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           tmpwatch-2.10.2-1.fc16
Target RPM Packages           filesystem-2.4.41-1.fc16
Policy RPM                    selinux-policy-3.9.16-15.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.39-0.rc3.git2.0.fc16.x86_64 #1 SMP Wed Apr 13
                              17:32:09 UTC 2011 x86_64 x86_64
Alert Count                   43
First Seen                    Fri 15 Apr 2011 12:39:01 PM EDT
Last Seen                     Thu 21 Apr 2011 11:32:01 AM EDT
Local ID                      1de5d896-8815-4052-ba88-47cad1abf0dc

Raw Audit Messages
type=AVC msg=audit(1303399921.512:120): avc:  denied  { read } for  pid=14563 comm="tmpwatch" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir


type=SYSCALL msg=audit(1303399921.512:120): arch=x86_64 syscall=open success=no exit=EACCES a0=40458b a1=0 a2=347bf98150 a3=0 items=0 ppid=14561 pid=14563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)

Hash: tmpwatch,tmpreaper_t,mnt_t,dir,read

audit2allow

#============= tmpreaper_t ==============
allow tmpreaper_t mnt_t:dir read;

audit2allow -R

#============= tmpreaper_t ==============
allow tmpreaper_t mnt_t:dir read;

Comment 1 Daniel Walsh 2011-04-25 13:36:44 UTC

Are you having tmpwatch watch the /mnt directory?

Comment 2 Clyde E. Kunkel 2011-04-25 16:50:46 UTC

Not on purpose.  This is a multi-boot test machine with numerous other distros and fedora versions.  I mount them in /mnt as part of the install process of the instant distro. After that, they are primarily referred to and only occasionally modified.

Comment 3 Daniel Walsh 2011-04-25 17:26:07 UTC

Anything in /etc/cron.daily/tmpwatch that mentions mnt?

Comment 4 Clyde E. Kunkel 2011-04-25 22:01:51 UTC

not that I can see....


 sudo cat /etc/cron.daily/tmpwatch
#! /bin/sh
flags=-umc
/usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \
	-x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix \
	-X '/tmp/hsperfdata_*' 10d /tmp
/usr/sbin/tmpwatch "$flags" 30d /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
    if [ -d "$d" ]; then
	/usr/sbin/tmpwatch "$flags" -f 30d "$d"
    fi
done

Comment 5 Clyde E. Kunkel 2011-04-28 15:10:33 UTC

Would it be advisable to run the command recommended in the troubleshooter?


#!/bin/bash
for ft in textrel_shlib_t httpd_cache_t sandbox_file_t var_lib_t user_home_type kismet_log_t var_run_t rpm_var_cache_t home_root_t tmpreaper_t print_spool_t amavis_spool_t sysctl_crypto_t man_t user_home_dir_t abrt_t lib_t root_t device_t usr_t locale_t etc_t tmpfile device_t etc_t; do semanage fcontext -a -t $ft '/'; done

Comment 6 Daniel Walsh 2011-04-28 15:18:48 UTC

No.  Has this happened again?

Do you have special file systems mounted on /mnt or /media?

Comment 7 Clyde E. Kunkel 2011-04-28 18:33:18 UTC

Yeah, number of occurrences at 106.  Nothing in media.

mnt has other distro root filesystems mounted in it, a seti at home partition and a vfat partition:


$ df -ahT /mnt/*
Filesystem                      Type  Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-fedora14 ext4   16G  5.2G  9.5G  36% /mnt/fedora14
/dev/mapper/VolGroup00-fedora15 ext4   16G  6.2G  8.5G  43% /mnt/fedora15
/dev/sdf6                       ext3  2.0G  198M  1.7G  11% /mnt/seti
/dev/sdf3                       vfat  9.8G   75M  9.7G   1% /mnt/share
/dev/mapper/VolGroup00-rawhide  ext4   16G  6.4G  8.3G  44% /

running in permissive mode.

Comment 8 Daniel Walsh 2011-04-28 19:10:21 UTC

Any chance you have symbolic links into these directories?  Or bind mounts?

Comment 9 Clyde E. Kunkel 2011-04-28 19:34:43 UTC

(In reply to comment #8)
> Any chance you have symbolic links into these directories?  Or bind mounts?

No.  However, there are symbolic links **within** the /mnt/fedora14 and /mnt/fedora15 directories

Comment 10 Daniel Walsh 2011-04-28 20:59:45 UTC

Lets see if auditing gives us better data.  Can you turn on full auditing to see if we get a better path.


# auditctl -W /etc/shadow -p w

Next time you get this AVC see if it includes a PATH record.

Comment 11 Clyde E. Kunkel 2011-04-29 02:20:44 UTC

(In reply to comment #10)
> Lets see if auditing gives us better data.  Can you turn on full auditing to
> see if we get a better path.
> 
> 
> # auditctl -W /etc/shadow -p w
> 
> Next time you get this AVC see if it includes a PATH record.


# auditctl -W /etc/shadow -p w
Error sending delete rule data request (No such file or directory)


Didn't work?

Comment 12 Daniel Walsh 2011-04-29 15:09:44 UTC

Sorry
 auditctl -w /etc/shadow -p w

Note You need to log in before you can comment on or make changes to this bug.