Bug 750000 - SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the sock_file plasma-desktopGh1800.slave-socket.
Summary: SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the soc...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b066a46550e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-29 18:43 UTC by franco santini
Modified: 2011-10-31 19:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-31 19:22:01 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description franco santini 2011-10-29 18:43:23 UTC 
SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the sock_file plasma-desktopGh1800.slave-socket.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed unlink access on the plasma-desktopGh1800.slave-socket sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                plasma-desktopGh1800.slave-socket [ sock_file ]
Source                        systemd-tmpfile
Source Path                   /bin/systemd-tmpfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-units-26-12.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-44.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40.7-3.fc15.x86_64
                              #1 SMP Mon Oct 24 13:51:56 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 29 Oct 2011 08:29:46 PM CEST
Last Seen                     Sat 29 Oct 2011 08:29:46 PM CEST
Local ID                      3dbf83c9-b380-4b60-be56-dd19c7415e46

Raw Audit Messages
type=AVC msg=audit(1319912986.102:61): avc:  denied  { unlink } for  pid=2373 comm="systemd-tmpfile" name="plasma-desktopGh1800.slave-socket" dev=dm-1 ino=656379 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1319912986.102:61): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=5 a1=237867b a2=0 a3=100 items=0 ppid=1 pid=2373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,user_home_dir_t,sock_file,unlink

audit2allow

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t user_home_dir_t:sock_file unlink;

audit2allow -R

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t user_home_dir_t:sock_file unlink;
Comment 1 Miroslav Grepl 2011-10-31 09:55:19 UTC 
Did you move this sock file from /home to /tmp directory?
Comment 2 Daniel Walsh 2011-10-31 14:45:43 UTC 
We should really never have a sock_file labeled as a user_home_dir_t.  Any idea how this sock_file got created?
Comment 3 franco santini 2011-10-31 17:05:40 UTC 
(In reply to comment #1)
> Did you move this sock file from /home to /tmp directory?

I didn't move any file from /home to /tmp. Actualy file  /tmp/systemd_tmpfiles exists with selinux context system_u:object_r:systemd_tmpfiles_exec_t:s0
Comment 4 Daniel Walsh 2011-10-31 18:15:35 UTC 
find /tmp -name plasma-desktopGh1800.slave-socket
or

find /var/tmp  -name plasma-desktopGh1800.slave-socket

This seems to be something to do with kde.
Comment 5 franco santini 2011-10-31 19:14:52 UTC 
No such file in either directory or elsewhere in filesystem.
Also yum list and google give me nothing!
Comment 6 Daniel Walsh 2011-10-31 19:22:01 UTC 
Ok, lets act like this never happened and reopen if it happens again.
Note You need to log in before you can comment on or make changes to this bug.