Bug 802333 - SELinux is preventing /bin/systemd-tmpfiles from 'write' accesses on the directory x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43.
SELinux is preventing /bin/systemd-tmpfiles from 'write' accesses on the dire...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:6280792c22c69c792b539711d34...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-12 06:04 EDT by Daniel
Modified: 2012-09-04 02:23 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-03 13:24:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel 2012-03-12 06:04:34 EDT
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.9-2.fc16.x86_64
reason:         SELinux is preventing /bin/systemd-tmpfiles from 'write' accesses on the directory x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43.
time:           Mon 12 Mar 2012 11:03:00 AM CET

description:
:SELinux is preventing /bin/systemd-tmpfiles from 'write' accesses on the directory x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that systemd-tmpfiles should be allowed write access on the x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43 directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:systemd_tmpfiles_t:s0
:Target Context                unconfined_u:object_r:user_home_t:s0
:Target Objects                x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729
:                              .6161_x-ww_31a54e43 [ dir ]
:Source                        systemd-tmpfile
:Source Path                   /bin/systemd-tmpfiles
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           systemd-units-37-13.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.2.9-2.fc16.x86_64 #1 SMP Mon Mar 5 20:55:39 UTC
:                              2012 x86_64 x86_64
:Alert Count                   30
:First Seen                    Mon 12 Mar 2012 10:38:39 AM CET
:Last Seen                     Mon 12 Mar 2012 10:38:40 AM CET
:Local ID                      811b4d1c-c429-4ab7-9100-b60362aa5db3
:
:Raw Audit Messages
:type=AVC msg=audit(1331545120.790:210): avc:  denied  { write } for  pid=2810 comm="systemd-tmpfile" name="x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43" dev=dm-2 ino=3147483 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1331545120.790:210): arch=x86_64 syscall=unlinkat success=no exit=EACCES a0=9 a1=21aa5eb a2=0 a3=0 items=0 ppid=1 pid=2810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
:
:Hash: systemd-tmpfile,systemd_tmpfiles_t,user_home_t,dir,write
:
:audit2allow
:
:#============= systemd_tmpfiles_t ==============
:#!!!! The source type 'systemd_tmpfiles_t' can write to a 'dir' of the following types:
:# rpm_var_lib_t, httpd_sys_rw_content_t, man_t, device_t, root_t, var_auth_t, tmp_t, usr_t, var_t, etc_t, file_t, tmpfs_t, config_home_t, lockfile, pidfile, tmpfile, sandbox_file_t, var_spool_t, httpd_cache_t, modules_object_t, faillog_t, var_lib_t
:
:allow systemd_tmpfiles_t user_home_t:dir write;
:
:audit2allow -R
:
:#============= systemd_tmpfiles_t ==============
:#!!!! The source type 'systemd_tmpfiles_t' can write to a 'dir' of the following types:
:# rpm_var_lib_t, httpd_sys_rw_content_t, man_t, device_t, root_t, var_auth_t, tmp_t, usr_t, var_t, etc_t, file_t, tmpfs_t, config_home_t, lockfile, pidfile, tmpfile, sandbox_file_t, var_spool_t, httpd_cache_t, modules_object_t, faillog_t, var_lib_t
:
:allow systemd_tmpfiles_t user_home_t:dir write;
:
Comment 1 Daniel 2012-03-12 06:07:55 EDT
the given file is part of my users wine directory:
~/.wine/drive_c/windows/winsxs/x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43
Comment 2 Daniel 2012-03-12 06:14:48 EDT
later there were SE alerts due to the same file for setattr instead of write access

and a little later alerts due to /usr/sbin/tmpwatch instead of /bin/systemd-tmpfiles concerning write access to ~/.wine/drive_c/windows/Microsoft.NET/Framework/v2.0.50727

=> seems like the SE policies for user wine folders are broken with respect to the recently changed tmp file handling of fedora 16
Comment 3 Daniel 2012-03-12 07:00:54 EDT
sorry for the confusion! the files are NOT in the users home directory!

about a month ago I moved my wine folder to /tmp/ to create a fresh ~/.wine and to reinstall some broken tools. I.e. I ran
   mv ~/.wine /tmp/wine_old

this backup copy (wine_old) obviously was just today old enough to be forgotten and systemd-tmpfiles as well as tmpwatch tried to get rid of these old files.

so neither systemd-tmpfiles nor tmpwatch delete files from users home folders by default (I was really kind of worried and confused...).
Anyways, I don't closes this bug as invalid, as I still think it's probably not intended behavior to get bombarded by SE alerts if you move a bunch of files to the tmp folder from a different security context.

besides that it's obviously confusing to see only the basename of the file in all the SE alert dialogs. If the absolute path would have been given at least once, I would have seen the real problem sooner
Comment 4 Daniel Walsh 2012-03-12 11:14:46 EDT
I am surprised this needs write and setattr.
Comment 5 Daniel 2012-03-14 05:04:19 EDT
the given paths were actually folders, so the write access might have been a try to remove files in this directory. May be systemd-tmpfiles tries to run something like chmod +w on the folder when it's not allowed to remove the files.

This would explain write and setattr on the given folders, but I'm not familiar with the internals of systemd-tmpfiles or tmpwatch, so it's just a wild guess
Comment 6 Stef Walter 2012-09-03 05:25:02 EDT
I've seen this with a 'krb5' directory:


SELinux is preventing /usr/bin/systemd-tmpfiles from 'write' accesses on the directory krb5.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed write access on the krb5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                krb5 [ dir ]
Source                        systemd-tmpfile
Source Path                   /usr/bin/systemd-tmpfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-44-17.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.5.2-3.fc17.x86_64 #1 SMP Tue Aug
                              21 19:06:52 UTC 2012 x86_64 x86_64
Alert Count                   7
First Seen                    2012-09-02 07:13:12 CEST
Last Seen                     2012-09-03 11:21:46 CEST
Local ID                      941713be-84f6-43f5-a911-ca6ccfae9f8d

Raw Audit Messages
type=AVC msg=audit(1346664106.309:133): avc:  denied  { write } for  pid=3517 comm="systemd-tmpfile" name="krb5" dev="sda1" ino=411297 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1346664106.309:133): arch=x86_64 syscall=unlinkat success=no exit=EACCES a0=5 a1=27e6773 a2=200 a3=33a61b0778 items=0 ppid=1 pid=3517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,user_home_t,dir,write

audit2allow

#============= systemd_tmpfiles_t ==============
#!!!! The source type 'systemd_tmpfiles_t' can write to a 'dir' of the following types:
# device_t, var_auth_t, etc_t, file_t, tmpfs_t, man_t, root_t, config_home_t, tmp_t, usr_t, var_t, lockfile, pidfile, tmpfile, sandbox_file_t, faillog_t, var_spool_t, httpd_cache_t, var_log_t, var_lib_t, init_var_run_t, rpm_var_lib_t, httpd_sys_rw_content_t

allow systemd_tmpfiles_t user_home_t:dir write;

audit2allow -R

#============= systemd_tmpfiles_t ==============
#!!!! The source type 'systemd_tmpfiles_t' can write to a 'dir' of the following types:
# device_t, var_auth_t, etc_t, file_t, tmpfs_t, man_t, root_t, config_home_t, tmp_t, usr_t, var_t, lockfile, pidfile, tmpfile, sandbox_file_t, faillog_t, var_spool_t, httpd_cache_t, var_log_t, var_lib_t, init_var_run_t, rpm_var_lib_t, httpd_sys_rw_content_t

allow systemd_tmpfiles_t user_home_t:dir write;
Comment 7 Miroslav Grepl 2012-09-03 13:24:57 EDT
Stef, 
did you move a dir to the /tmp dir?
Comment 8 Stef Walter 2012-09-04 02:23:44 EDT
I didn't move this directory explicitly there. But perhaps this was done by a script of some sort. I'll try and keep my eye out for it.

Note You need to log in before you can comment on or make changes to this bug.