Bug 732014 - SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the file cimv2.21.0-interop.mof.
Summary: SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the fil...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e9310835c7d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-19 13:08 UTC by Adam Hough
Modified: 2011-10-06 00:02 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-39.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-06 00:02:50 UTC


Attachments (Terms of Use)

Description Adam Hough 2011-08-19 13:08:51 UTC
SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the file cimv2.21.0-interop.mof.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow systemd-tmpfiles to have unlink access on the cimv2.21.0-interop.mof file
Then you need to change the label on cimv2.21.0-interop.mof
Do
# semanage fcontext -a -t FILE_TYPE 'cimv2.21.0-interop.mof'
where FILE_TYPE is one of the following: man_t, tmp_t, var_auth_t, file_t, lockfile, pidfile, tmpfile, sandbox_file_t, user_home_t, faillog_t, rpm_var_lib_t, etc_runtime_t. 
Then execute: 
restorecon -v 'cimv2.21.0-interop.mof'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed unlink access on the cimv2.21.0-interop.mof file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                cimv2.21.0-interop.mof [ file ]
Source                        systemd-tmpfile
Source Path                   /bin/systemd-tmpfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-units-26-8.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.i686 #1 SMP Fri Jul 29
                              18:54:39 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Mon 01 Aug 2011 10:09:22 PM CDT
Last Seen                     Fri 12 Aug 2011 09:09:49 AM CDT
Local ID                      bc1885a6-cf10-4e13-886e-ad181dfd0c23

Raw Audit Messages
type=AVC msg=audit(1313158189.670:87): avc:  denied  { unlink } for  pid=2261 comm="systemd-tmpfile" name="cimv2.21.0-interop.mof" dev=dm-2 ino=331736 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1313158189.670:87): arch=i386 syscall=unlinkat success=yes exit=0 a0=6 a1=9d6a7db a2=0 a3=bfe263b0 items=0 ppid=1 pid=2261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,usr_t,file,unlink

audit2allow

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t usr_t:file unlink;

audit2allow -R

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t usr_t:file unlink;

Comment 1 Daniel Walsh 2011-08-20 10:45:34 UTC
Any idea where cimv2.21.0-interop.mof was located?

Comment 2 Adam Hough 2011-08-30 13:48:27 UTC
Sorry, I was not using this system for about a week so did not get a chance to figure out the answer to your question until now.

The full path to the file is: /usr/share/libvirt-cim/cimv2.21.0-interop_mof. This file is part of the libvirt-cim.i686 package.

I have no idea why this is happening or an opinion as to whether it should or should not have access to do what it is trying to do.

Comment 3 Daniel Walsh 2011-08-30 17:01:17 UTC
Did you move a copy of this file to /tmp?

Comment 4 Daniel Walsh 2011-08-30 17:02:12 UTC
Miroslav we are allowing this in F16 now.

Comment 5 Miroslav Grepl 2011-09-05 11:55:14 UTC
Fixed in selinux-policy-3.9.16-39.fc15

Comment 6 Fedora Update System 2011-09-08 08:12:25 UTC
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15

Comment 7 Fedora Update System 2011-09-09 05:28:32 UTC
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2011-10-06 00:02:50 UTC
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.