Bug 732709 - SELinux is preventing /usr/sbin/tzdata-update from 'read' accesses on the directory /home/avignon.
Summary: SELinux is preventing /usr/sbin/tzdata-update from 'read' accesses on the dir...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:f33bcedf37b...
Depends On:
Blocks: 751853
TreeView+ depends on / blocked
 
Reported: 2011-08-23 11:02 UTC by avignon
Modified: 2011-11-07 19:45 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-26 21:29:19 UTC


Attachments (Terms of Use)

Description avignon 2011-08-23 11:02:22 UTC
SELinux is preventing /usr/sbin/tzdata-update from 'read' accesses on the directory /home/avignon.

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that tzdata-update should be allowed read access on the avignon directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tzdata-update /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore tzdata-update trying to read access the avignon directory, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/tzdata-update /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                /home/avignon [ dir ]
Source                        tzdata-update
Source Path                   /usr/sbin/tzdata-update
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-common-2.14-5
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40.3-0.fc15.i686 #1 SMP
                              Tue Aug 16 04:24:09 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Tue 23 Aug 2011 12:58:38 PM CEST
Last Seen                     Tue 23 Aug 2011 12:58:38 PM CEST
Local ID                      517cc20d-9968-4f7a-982d-9f824f28b655

Raw Audit Messages
type=AVC msg=audit(1314097118.942:99): avc:  denied  { read } for  pid=5253 comm="tzdata-update" path="/home/avignon" dev=dm-2 ino=6946817 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir


type=SYSCALL msg=audit(1314097118.942:99): arch=i386 syscall=execve success=yes exit=0 a0=8050b67 a1=bf9b3718 a2=bf9b371c a3=6 items=0 ppid=3826 pid=5253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=tzdata-update exe=/usr/sbin/tzdata-update subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null)

Hash: tzdata-update,tzdata_t,user_home_dir_t,dir,read

audit2allow

#============= tzdata_t ==============
allow tzdata_t user_home_dir_t:dir read;

audit2allow -R

#============= tzdata_t ==============
allow tzdata_t user_home_dir_t:dir read;

Comment 1 Miroslav Grepl 2011-08-23 13:41:52 UTC
Do you know when this happened? Were you updating system?

Comment 2 Daniel Walsh 2011-08-24 02:52:13 UTC
Were you doing a yum update while sitting in your homedir?

Comment 3 avignon 2011-08-24 05:55:50 UTC
Hi All,

I was actually performing an yum update from my home directory. is there a problem with doing so ?

(the upgrade was the one following a switch from testing to rawhide repositories, for a new computer)

Comment 4 Daniel Walsh 2011-08-26 21:29:19 UTC
No, it just that some apps have a nasty habit of searching their current directory when they start,  If they are confined, you will see an AVC message like this, the app will work fine, and you can ignore this avc.

If you don't want to see these just cd /; yum -y update

And you should be fine.


Note You need to log in before you can comment on or make changes to this bug.