738406 – policy prevents systemd from creating tmp dir /var/cache/man

Bug 738406 - policy prevents systemd from creating tmp dir /var/cache/man

Summary: policy prevents systemd from creating tmp dir /var/cache/man

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-14 17:58 UTC by Mads Kiilerich
Modified:	2011-09-21 17:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-21 17:43:44 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Mads Kiilerich 2011-09-14 17:58:13 UTC

On a homebrew livecd:

...
[    9.288452] systemd-tmpfiles[805]: Successfully loaded SELinux database in 8ms 279us, size on heap is 468K.
[    9.430335] type=1400 audit(1316020731.067:3): avc:  denied  { write } for  pid=805 comm="systemd-tmpfile" name="cache" dev=dm-0 ino=13 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
[    9.430344] type=1400 audit(1316020731.067:4): avc:  denied  { add_name } for  pid=805 comm="systemd-tmpfile" name="man" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
[    9.430358] type=1400 audit(1316020731.067:5): avc:  denied  { create } for  pid=805 comm="systemd-tmpfile" name="man" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
[    9.433407] type=1400 audit(1316020731.070:6): avc:  denied  { relabelfrom } for  pid=805 comm="systemd-tmpfile" name="man" dev=dm-0 ino=131073 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
[    9.825863] livesys[829]: /etc/init.d/functions: line 58: /dev/stderr: No such device or address
[    9.910265] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[    9.911437] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[    9.912481] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
...

I do not have man-db installed and do thus not have /var/cache/man ... but here in permissive mode it seems like systemd creates it because of the /usr/lib/tmpfiles.d/systemd.conf entry.

I guess that it could be argued that the policy is right and the problem should be fixed elsewhere. Perhaps:
* systemd could require man-db ... no ... please don't
* /var/cache/man could move to filesystem ... yes, perhaps
* systemd shouldn't create non-existing directories ... also an option

selinux-policy-targeted-3.10.0-28.fc16.noarch
kernel-3.1.0-0.rc6.git0.0.fc16.x86_64
dracut-013-8.fc16.noarch
systemd-35-1.fc16.x86_64

Comment 1 Daniel Walsh 2011-09-15 14:20:58 UTC

Fixed in selinux-policy-targeted-3.10.0-29.fc16.noarch

Comment 2 Mads Kiilerich 2011-09-21 17:16:21 UTC

Confirmed with -32. No avc when systemd creates /var/cache/man/ in permissive mode.

Note You need to log in before you can comment on or make changes to this bug.