Bug 846972 - /tmp, crypttab and selinux fun!
/tmp, crypttab and selinux fun!
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-09 06:45 EDT by Gabriel VLASIU
Modified: 2015-02-17 09:23 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-17 09:23:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avc.txt (9.67 KB, text/plain)
2012-08-14 12:10 EDT, Gabriel VLASIU
no flags Details

  None (edit)
Description Gabriel VLASIU 2012-08-09 06:45:38 EDT
Description of problem:

If selinux is in enforced mode partitions set as "tmp" in crypttab are not quite usable.

# man crypttab
...
       tmp    The encrypted block device will be prepared for using it as tmp partition: it will be formatted  using mke2fs  and  its  root directory will be set to mode 01777.  The warning about the swap option applies here as well.
....

# cat /etc/crypttab | grep tmp
tmp-sda5        /dev/disk/by-id/ata-VBOX_HARDDISK_VBa4ae82e4-ba72e473-part5     /dev/urandom    tmp,cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160

# cat /etc/fstab | grep /tmp | grep mapper
/dev/mapper/tmp-sda5                      /tmp                    ext4    defaults,nosuid,nodev,noexec  0 0

# mount | grep mapper | grep /tmp
/dev/mapper/tmp-sda5 on /tmp type ext4 (rw,nosuid,nodev,noexec,relatime,seclabel)


1) selinux in permissive mode:

# grep ^SELINUX= /etc/selinux/config 
SELINUX=permissive

# ls -ld /tmp
drwxrwxrwt. 10 root root  4096 Aug  9 13:23 tmp



2) selinux in enforcing mode:

# grep ^SELINUX= /etc/selinux/config 
SELINUX=enforcing

# ls -ld /tmp
drwxr-xr-x.  4 root root  4096 Aug  9 13:29 tmp

Version-Release number of selected component (if applicable):
 
Actual results:
/tmp is mounted. Only root is able to create/modify/erase files/directories.

Expected results:
/tmp should be mounted 01777. All users should be able to create/modify/erase files/directories.

Additional info:
# uname -r
3.5.0-2.fc17.x86_64

# rpm -qa | grep ^selinux
selinux-policy-targeted-3.10.0-142.fc17.noarch
selinux-policy-3.10.0-142.fc17.noarch

Fedora 17 has all updates installed (as 2012.08.09).
Comment 1 Daniel Walsh 2012-08-13 15:56:13 EDT
ls -dZ /tmp
Comment 2 Gabriel VLASIU 2012-08-14 02:07:19 EDT
# yum update
....

# uname -r
3.5.1-1.fc17.x86_64

# rpm -qa | grep ^selinux
selinux-policy-targeted-3.10.0-145.fc17.noarch
selinux-policy-3.10.0-145.fc17.noarch

1) selinux in permissive mode:
# ls -dZ /tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp

2) selinux in enforcing mode:
# ls -dZ /tmp
drwxr-xr-x. root root system_u:object_r:file_t:s0      /tmp
Comment 3 Daniel Walsh 2012-08-14 10:54:46 EDT
I take it these are boots.  Are you seeing any AVC messages?

ausearch -m avc
Comment 4 Gabriel VLASIU 2012-08-14 12:09:28 EDT
Not really. See avc.txt file.
Comment 5 Gabriel VLASIU 2012-08-14 12:10:07 EDT
Created attachment 604351 [details]
avc.txt
Comment 6 Gabriel VLASIU 2012-08-14 12:11:37 EDT
Should I remove dontaudits from policy?
Comment 7 Daniel Walsh 2012-08-14 15:03:46 EDT
No the problem is the /tmp gets created without labels.
Comment 8 Miroslav Grepl 2012-12-04 10:43:45 EST
Gabriel,
are you still getting this one?
Comment 9 Gabriel VLASIU 2012-12-04 12:11:21 EST
# getenforce 
Enforcing

# uname -r
3.6.8-2.fc17.x86_64

# rpm -qa | grep ^selinux
selinux-policy-3.10.0-161.fc17.noarch
selinux-policy-targeted-3.10.0-161.fc17.noarch

# ls -ld /tmp
drwxr-xr-x. 5 root root 4096 Dec  4 19:08 /tmp

So, unfortunately, yes.
Comment 11 Fedora End Of Life 2013-07-03 20:50:50 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 12 Fedora End Of Life 2013-12-21 03:40:33 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Fedora End Of Life 2015-01-09 12:18:33 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 14 Fedora End Of Life 2015-02-17 09:23:56 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.