Bug 840494 - SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory source.
SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the direc...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-07-16 09:50 EDT by JAlberto
Modified: 2012-07-16 13:08 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-07-16 13:08:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description JAlberto 2012-07-16 09:50:05 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.4-5.fc17.x86_64
time:           lun 16 jul 2012 15:49:48 CEST

:SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory source.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If cree que de manera predeterminada, tmpwatch debería permitir acceso setattr sobre  source directory.     
:Then debería reportar esto como un error.
:Puede generar un módulo de política local para permitir este acceso.
:permita el acceso momentáneamente executando:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:lib_t:s0
:Target Objects                source [ dir ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Desconocido>
:Host                          (removed)
:Source RPM Packages           tmpwatch-2.10.3-2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.4-5.fc17.x86_64 #1 SMP
:                              Thu Jul 5 20:20:59 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    lun 16 jul 2012 13:18:09 CEST
:Last Seen                     lun 16 jul 2012 13:18:09 CEST
:Local ID                      e21f8f35-d3e6-40f5-9649-36bcad3b17bb
:Raw Audit Messages
:type=AVC msg=audit(1342437489.903:61): avc:  denied  { setattr } for  pid=5625 comm="tmpwatch" name="source" dev="dm-0" ino=683896 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir
:type=SYSCALL msg=audit(1342437489.903:61): arch=x86_64 syscall=utime success=no exit=EACCES a0=404a07 a1=7fffda1c4f70 a2=3342bb0f98 a3=3342bb0778 items=0 ppid=5623 pid=5625 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:Hash: tmpwatch,tmpreaper_t,lib_t,dir,setattr
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Daniel Walsh 2012-07-16 13:07:19 EDT
Do you have a lib_t directory out on /tmp?  If so remove it and the avc will stop happening.

 find /tmp -context "*:lib_t:*"
Comment 2 Daniel Walsh 2012-07-16 13:08:17 EDT
Most likely you mv'd a file/directory to /tmp and now tmpwatch wants to delete it, but SELinux does not allow tmpwatch and friends to just delete any file on the system.

Note You need to log in before you can comment on or make changes to this bug.