Bug 799596 - SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/spool/vscan.
Summary: SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the director...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:c3c7c53291dde69c3400d8daccb...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-03 10:32 UTC by geminic86
Modified: 2012-03-05 09:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-05 09:12:24 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description geminic86 2012-03-03 10:32:50 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.7-1.fc16.i686.PAE
reason:         SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/spool/vscan.
time:           Sat 03 Mar 2012 05:32:38 AM EST

description:
:SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/spool/vscan.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that tmpwatch should be allowed read access on the vscan directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:sagator_root_t:s0
:Target Objects                /var/spool/vscan [ dir ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           tmpwatch-2.10.3-1.fc16.i686
:Target RPM Packages           sagator-core-1.2.3-1.fc16.noarch
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.7-1.fc16.i686.PAE #1 SMP Tue Feb
:                              21 01:30:59 UTC 2012 i686 i686
:Alert Count                   1
:First Seen                    Sat 03 Mar 2012 04:22:01 AM EST
:Last Seen                     Sat 03 Mar 2012 04:22:01 AM EST
:Local ID                      d1ce1768-15c7-494b-accc-65aec6f911b2
:
:Raw Audit Messages
:type=AVC msg=audit(1330766521.580:1223): avc:  denied  { read } for  pid=12695 comm="tmpwatch" name="vscan" dev=dm-1 ino=81937 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sagator_root_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1330766521.580:1223): arch=i386 syscall=open success=no exit=EACCES a0=804bf87 a1=8000 a2=0 a3=bfdc3b1c items=0 ppid=12694 pid=12695 auid=954 uid=954 gid=939 euid=954 suid=954 fsuid=954 egid=939 sgid=939 fsgid=939 tty=(none) ses=153 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:
:Hash: tmpwatch,tmpreaper_t,sagator_root_t,dir,read
:
:audit2allow
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t sagator_root_t:dir read;
:
:audit2allow -R
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t sagator_root_t:dir read;
:
Comment 1 Miroslav Grepl 2012-03-05 09:12:24 UTC 
geminic86,
I see also other bugs which you reported. The problem is you have own sagator policy which is not a part of our policy. 

You will need to add accesses to your local policy.
Note You need to log in before you can comment on or make changes to this bug.