Bug 838704 - /usr/bin/systemd-tmpfiles search access on the directory ksplashx.
Summary: /usr/bin/systemd-tmpfiles search access on the directory ksplashx.
Keywords:
Status: CLOSED DUPLICATE of bug 836262
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-09 20:43 UTC by Michael S. Tsirkin
Modified: 2012-07-10 07:19 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-07-10 07:19:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Michael S. Tsirkin 2012-07-09 20:43:51 UTC 
Description of problem:
after using kde for several days I got this error.
Did not see it earlier

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-134.fc17.noarch

How reproducible:
no

Steps to Reproduce:
I got an error on setroubleshoot
  
Actual results:

SELinux is preventing /usr/bin/systemd-tmpfiles from search access on the directory ksplashx.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow systemd-tmpfiles to have search access on the ksplashx directory
Then you need to change the label on ksplashx
Do
# semanage fcontext -a -t FILE_TYPE 'ksplashx'
where FILE_TYPE is one of the following: security_t, rpm_var_cache_t, faillog_t, systemd_tmpfiles_t, var_spool_t, httpd_cache_t, proc_net_t, var_log_t, var_lib_t, var_run_t, textrel_shlib_t, user_home_type, init_var_run_t, rpm_script_tmp_t, rpm_var_lib_t, file_type, winbind_var_run_t, security_t, httpd_sys_rw_content_t, file_context_t, etc_t, cert_t, default_t, home_root_t, rpm_log_t, var_t, var_log_t, var_run_t, sssd_public_t, abrt_var_run_t, selinux_config_t, likewise_var_lib_t, user_home_dir_t, default_context_t, sysctl_crypto_t, filesystem_type, device_t, locale_t, var_auth_t, var_lock_t, krb5_conf_t, etc_t, file_t, proc_t, man_t, sysfs_t, tmpfs_t, root_t, tmp_t, config_home_t, usr_t, var_t, cpu_online_t, lockfile, setrans_var_run_t, pidfile, tmpfile, var_lib_t, var_run_t, device_t, samba_var_t, sysctl_t, etc_t, abrt_t, bin_t, samba_etc_t, proc_t, avahi_var_run_t, lib_t, mnt_t, sysfs_t, nscd_var_run_t, nslcd_var_run_t, root_t, smbd_var_run_t, sssd_var_lib_t, tmp_t, usr_t, var_t, lost_found_t, net_conf_t, sandbox_file_t, cpu_online_t, krb5_host_rcache_t, var_t, var_t, var_run_t, var_run_t, nscd_var_run_t, pcscd_var_run_t. 
Then execute: 
restorecon -v 'ksplashx'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed search access on the ksplashx directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                ksplashx [ dir ]
Source                        systemd-tmpfile
Source Path                   /usr/bin/systemd-tmpfiles
Port                          <Unknown>
Host                          robin.redhat.com
Source RPM Packages           systemd-44-17.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     robin.redhat.com
Platform                      Linux robin.redhat.com 3.5.0-rc4-mst #192 SMP Mon
                              Jun 25 14:49:29 IDT 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 09 Jul 2012 02:59:38 PM IDT
Last Seen                     Mon 09 Jul 2012 02:59:38 PM IDT
Local ID                      137437db-1db7-42ea-8615-1fe571a26cea

Raw Audit Messages
type=AVC msg=audit(1341835178.140:1424): avc:  denied  { search } for  pid=31705 comm="systemd-tmpfile" name="ksplashx" dev="sda6" ino=262359 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir


type=AVC msg=audit(1341835178.140:1424): avc:  denied  { getattr } for  pid=31705 comm="systemd-tmpfile" path="/var/tmp/kdecache-root/ksplashx/BeefyMiracle-1920x1080-beefy-miracle.png" dev="sda6" ino=262360 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file


type=SYSCALL msg=audit(1341835178.140:1424): arch=i386 syscall=fanotify_init success=yes exit=0 a0=6 a1=8c3f1e3 a2=ff8c6380 a3=100 items=0 ppid=1 pid=31705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,unlabeled_t,dir,search

audit2allow

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t unlabeled_t:dir search;
allow systemd_tmpfiles_t unlabeled_t:file getattr;

audit2allow -R

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t unlabeled_t:dir search;
allow systemd_tmpfiles_t unlabeled_t:file getattr;


Expected results:
should not get an error

Additional info:
Comment 1 Miroslav Grepl 2012-07-10 07:19:15 UTC 

*** This bug has been marked as a duplicate of bug 836262 ***
Note You need to log in before you can comment on or make changes to this bug.