Bug 799596 - SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/spool/vscan.
SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the director...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:c3c7c53291dde69c3400d8daccb...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-03 05:32 EST by geminic86
Modified: 2012-03-05 04:12 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-05 04:12:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description geminic86 2012-03-03 05:32:50 EST
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.7-1.fc16.i686.PAE
reason:         SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/spool/vscan.
time:           Sat 03 Mar 2012 05:32:38 AM EST

description:
:SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/spool/vscan.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that tmpwatch should be allowed read access on the vscan directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:sagator_root_t:s0
:Target Objects                /var/spool/vscan [ dir ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           tmpwatch-2.10.3-1.fc16.i686
:Target RPM Packages           sagator-core-1.2.3-1.fc16.noarch
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.7-1.fc16.i686.PAE #1 SMP Tue Feb
:                              21 01:30:59 UTC 2012 i686 i686
:Alert Count                   1
:First Seen                    Sat 03 Mar 2012 04:22:01 AM EST
:Last Seen                     Sat 03 Mar 2012 04:22:01 AM EST
:Local ID                      d1ce1768-15c7-494b-accc-65aec6f911b2
:
:Raw Audit Messages
:type=AVC msg=audit(1330766521.580:1223): avc:  denied  { read } for  pid=12695 comm="tmpwatch" name="vscan" dev=dm-1 ino=81937 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sagator_root_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1330766521.580:1223): arch=i386 syscall=open success=no exit=EACCES a0=804bf87 a1=8000 a2=0 a3=bfdc3b1c items=0 ppid=12694 pid=12695 auid=954 uid=954 gid=939 euid=954 suid=954 fsuid=954 egid=939 sgid=939 fsgid=939 tty=(none) ses=153 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:
:Hash: tmpwatch,tmpreaper_t,sagator_root_t,dir,read
:
:audit2allow
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t sagator_root_t:dir read;
:
:audit2allow -R
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t sagator_root_t:dir read;
:
Comment 1 Miroslav Grepl 2012-03-05 04:12:24 EST
geminic86,
I see also other bugs which you reported. The problem is you have own sagator policy which is not a part of our policy. 

You will need to add accesses to your local policy.

Note You need to log in before you can comment on or make changes to this bug.