Bug 802508 - SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory grub.
SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the director...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: 802500 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-03-12 13:19 EDT by Bill Davidsen
Modified: 2012-03-28 09:26 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-28 09:26:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bill Davidsen 2012-03-12 13:19:11 EDT
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.9-2.fc16.i686
reason:         SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory grub.
time:           Mon 12 Mar 2012 01:18:51 PM EDT

:SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory grub.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that tmpwatch should be allowed read access on the grub directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:boot_t:s0
:Target Objects                grub [ dir ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           tmpwatch-2.10.3-1.fc16.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.9-2.fc16.i686 #1
:                              SMP Mon Mar 5 21:12:36 UTC 2012 i686 i686
:Alert Count                   1
:First Seen                    Mon 12 Mar 2012 01:17:58 PM EDT
:Last Seen                     Mon 12 Mar 2012 01:17:58 PM EDT
:Local ID                      d481189b-01ed-457b-aaee-e499e824fff1
:Raw Audit Messages
:type=AVC msg=audit(1331572678.9:121): avc:  denied  { read } for  pid=6665 comm="tmpwatch" name="grub" dev=dm-0 ino=392476 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir
:type=SYSCALL msg=audit(1331572678.9:121): arch=i386 syscall=openat success=no exit=EACCES a0=ffffff9c a1=804bf87 a2=98800 a3=0 items=0 ppid=6663 pid=6665 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:Hash: tmpwatch,tmpreaper_t,boot_t,dir,read
:#============= tmpreaper_t ==============
:allow tmpreaper_t boot_t:dir read;
:audit2allow -R
:#============= tmpreaper_t ==============
:allow tmpreaper_t boot_t:dir read;
Comment 1 Daniel Walsh 2012-03-12 13:55:56 EDT
Did you mv content to /tmp?

 find /tmp -type d -context "*:boot_t:*"

Then remove the content?
Comment 2 Daniel Walsh 2012-03-12 13:56:30 EDT
*** Bug 802500 has been marked as a duplicate of this bug. ***
Comment 3 Bill Davidsen 2012-03-27 17:11:08 EDT
I did nothing with /tmp or content, this was one of a series of machines being installed on FC16 or upgraded to it. I don't see the machine name in the report, and I just forwarded the info by clicking the "report via bugzilla" in hopes it would be useful. If there's nothing in the info it sent I can't really tell from this which of MANY machines I did that week was the one, not did I bury you in reports from every one which had problems, I assume you have lots of stuff coming in.

If it's not useful feel free to close it, I did about 16 machines that week.
Comment 4 Miroslav Grepl 2012-03-28 09:26:55 EDT
Ok, let's close this one and reopen if this happens again. Thank you.

Note You need to log in before you can comment on or make changes to this bug.