Bug 840494 - SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory source.
Summary: SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the direc...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:e75bc39f78cceadd7e66de77420...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-16 13:50 UTC by JAlberto
Modified: 2012-07-16 17:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-16 17:08:17 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description JAlberto 2012-07-16 13:50:05 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.4-5.fc17.x86_64
time:           lun 16 jul 2012 15:49:48 CEST

description:
:SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory source.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If cree que de manera predeterminada, tmpwatch debería permitir acceso setattr sobre  source directory.     
:Then debería reportar esto como un error.
:Puede generar un módulo de política local para permitir este acceso.
:Do
:permita el acceso momentáneamente executando:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:lib_t:s0
:Target Objects                source [ dir ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Desconocido>
:Host                          (removed)
:Source RPM Packages           tmpwatch-2.10.3-2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.4-5.fc17.x86_64 #1 SMP
:                              Thu Jul 5 20:20:59 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    lun 16 jul 2012 13:18:09 CEST
:Last Seen                     lun 16 jul 2012 13:18:09 CEST
:Local ID                      e21f8f35-d3e6-40f5-9649-36bcad3b17bb
:
:Raw Audit Messages
:type=AVC msg=audit(1342437489.903:61): avc:  denied  { setattr } for  pid=5625 comm="tmpwatch" name="source" dev="dm-0" ino=683896 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1342437489.903:61): arch=x86_64 syscall=utime success=no exit=EACCES a0=404a07 a1=7fffda1c4f70 a2=3342bb0f98 a3=3342bb0778 items=0 ppid=5623 pid=5625 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:
:Hash: tmpwatch,tmpreaper_t,lib_t,dir,setattr
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-07-16 17:07:19 UTC 
Do you have a lib_t directory out on /tmp?  If so remove it and the avc will stop happening.

 find /tmp -context "*:lib_t:*"
Comment 2 Daniel Walsh 2012-07-16 17:08:17 UTC 
Most likely you mv'd a file/directory to /tmp and now tmpwatch wants to delete it, but SELinux does not allow tmpwatch and friends to just delete any file on the system.
Note You need to log in before you can comment on or make changes to this bug.