Bug 836262 - SELinux is preventing /usr/bin/systemd-tmpfiles from 'getattr' accesses on the directory /var/tmp/kdecache-root.
Summary: SELinux is preventing /usr/bin/systemd-tmpfiles from 'getattr' accesses on th...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:5bc8af610b994c8cf7e1cf7b51e...
: 838703 838704 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2012-06-28 14:00 UTC by Vincenzo "Enzo" Romano
Modified: 2012-08-02 12:12 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-07-23 15:24:25 UTC

Attachments (Terms of Use)
File: description (4.01 KB, text/plain)
2012-06-28 14:00 UTC, Vincenzo "Enzo" Romano
no flags Details

Description Vincenzo "Enzo" Romano 2012-06-28 14:00:23 UTC
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.2-4.rt10.1.fc17.ccrma.x86_64.rt
time:           gio 28 giu 2012 15:59:22 CEST

description:    Text file, 4102 bytes

Comment 1 Vincenzo "Enzo" Romano 2012-06-28 14:00:27 UTC
Created attachment 595028 [details]
File: description

Comment 2 Miroslav Grepl 2012-07-02 07:27:48 UTC
Did you try to add a label for this file?

If you can remove this file then just remove it.

If no, execute

# chcon -t user_tmp_t /var/tmp/kdecache-root

to fix this issue.

Comment 3 Vincenzo "Enzo" Romano 2012-07-09 09:32:08 UTC
Sorry for the delay.
As I have just made a clean FC17 install and subsequent package installs/updates, I would expect that all SELinux stuff is incrementally updated by the package system, aka YUM/Apper.
Please confirm me whether this is the case or if I need to manually check the SELinux status after every single package install.

Comment 4 Miroslav Grepl 2012-07-10 07:19:07 UTC
*** Bug 838703 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2012-07-10 07:19:15 UTC
*** Bug 838704 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2012-07-10 07:31:24 UTC
Could you try to remove


and then use KDE and execute

# ls -dZ  /var/tmp/kdecache-root

Comment 7 Leonid Zhaldybin 2012-07-22 08:39:59 UTC
(In reply to comment #6)
> Could you try to remove
> /var/tmp/kdecache-root
> and then use KDE and execute
> # ls -dZ  /var/tmp/kdecache-root

Hi Miroslav,
I came accross the same problem after installing a fresh Fedora 17 system on my laptop. After I removed /var/tmp/kdecache-root directory, it did not get recreated. I tried to restart KDE a few times. I wander how it got created in the first place, since I've NEVER logged into KDE as 'root'.

Comment 8 Daniel Walsh 2012-07-23 15:07:01 UTC
Might have something to do with the livecd install process?

Comment 9 Leonid Zhaldybin 2012-07-23 15:10:03 UTC
(In reply to comment #8)
> Might have something to do with the livecd install process?

I used a DVD, not the KDE livecd for this installation.

Comment 10 Daniel Walsh 2012-07-23 15:13:14 UTC
Could the kdm be doing it?

Comment 11 Leonid Zhaldybin 2012-07-23 15:19:35 UTC
(In reply to comment #10)
> Could the kdm be doing it?

I suppose it could. But I restarted kdm a number of times after removing /var/tmp/kdecache-root directory, and it did not get recreated so far.

Comment 12 Daniel Walsh 2012-07-23 15:24:25 UTC
Ok if it comes back reopen bugzilla.

Comment 13 Michael B. 2012-07-24 23:14:21 UTC
I have the same problem. The directory can be created simply by opening an app, like dolphin, as root. You do not have to "log in" as root for it to be created.

Comment 14 Nick Coghlan 2012-07-25 14:40:10 UTC
I think Michael B may be on to something - I started seeing this on my freshly installed F17 system (actually updated with preupgrade from an F16 Live USB, since that was what I had handy). I also get an SELinux warning for /tmpwatch complaining about the same directory.

However, I believe I only saw it *after* running system-config-firewall from a root terminal session (or perhaps via sudo - I don't think it makes any real difference in this case). 

And looking at the ownership and security context for the offending directory

$ ls -dZ  /var/tmp/kdecache-root
drwx------. root root system_u:object_r:unlabeled_t:s0 /var/tmp/kdecache-root

My previous F17 system never exhibited this behaviour, but I also can't recall starting any GUI applications as root on that machine.

I suspect this means this bug is currently assigned to the wrong component - the SELinux policy seems to be OK, but whatever is creating that /var/tmp/kdecache-root entry is doing something wrong.

Contrast it with a similar entry created later and my user entry:

# ls -dZ /var/tmp/kdecache-rooteVxxp0/
drwx------. root root system_u:object_r:xdm_tmp_t:s0   /var/tmp/kdecache-rooteVxxp0/

# ls -dZ /var/tmp/kdecache-ncoghlan/
drwx------. ncoghlan ncoghlan unconfined_u:object_r:user_tmp_t:s0 /var/tmp/kdecache-ncoghlan

I was tinkering with running system-config-firewall as root to see if I could recreate the broken entry, but no luck (that's why I left the issue closed as "insufficient data" for the moment)

Comment 15 Miroslav Grepl 2012-08-01 11:52:15 UTC
This is strange. I am not able to reproduce it. I am trying to use KDE Live USB to see what label is for /var/tmp/kdecache-root on F16 KDE system. But I am not able to trigger creating of this cache.

Comment 16 Daniel Walsh 2012-08-01 19:22:31 UTC
I would bet it is firstboot_tmp_t;

Comment 17 Michael B. 2012-08-02 04:24:27 UTC
I never noticed this is Fedora 16, but with Fedora 17, SELinux is going off all of the time and I'd be happy to help do whatever I can to help end this annoyance. Is there any kind of debugging that a skilled non-programer like myself can do to help fix this?

Comment 18 Miroslav Grepl 2012-08-02 12:12:14 UTC
Fixed in selinux-policy-3.10.0-142.fc17.noarch

Comment 19 Miroslav Grepl 2012-08-02 12:12:38 UTC
(In reply to comment #18)
> Fixed in selinux-policy-3.10.0-142.fc17.noarch


Note You need to log in before you can comment on or make changes to this bug.