libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.5.2-3.fc17.x86_64 time: Mon 27 Aug 2012 11:21:35 AM CST description: :SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory bin. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that tmpwatch should be allowed read access on the bin directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 :Target Context system_u:object_r:bin_t:s0 :Target Objects bin [ dir ] :Source tmpwatch :Source Path /usr/sbin/tmpwatch :Port <Unknown> :Host (removed) :Source RPM Packages tmpwatch-2.10.3-2.fc17.x86_64 :Target RPM Packages filesystem-3-2.fc17.x86_64 :Policy RPM selinux-policy-3.10.0-145.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.5.2-3.fc17.x86_64 #1 SMP Tue Aug : 21 19:06:52 UTC 2012 x86_64 x86_64 :Alert Count 5 :First Seen 2012-08-21 03:15:02 CST :Last Seen 2012-08-27 10:39:43 CST :Local ID e8cf70e3-5983-43ca-9059-c560a77398b8 : :Raw Audit Messages :type=AVC msg=audit(1346085583.900:1321): avc: denied { read } for pid=4616 comm="tmpwatch" name="bin" dev="sda3" ino=401483 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1346085583.900:1321): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=404a07 a2=90800 a3=0 items=0 ppid=4614 pid=4616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) : :Hash: tmpwatch,tmpreaper_t,bin_t,dir,read : :audit2allow : :#============= tmpreaper_t ============== :allow tmpreaper_t bin_t:dir read; : :audit2allow -R : :#============= tmpreaper_t ============== :allow tmpreaper_t bin_t:dir read; :
Are you getting more AVC msgs if you execute # semanage permissive -a tmpreaper_t and reproduce it.
No regarding the /usr/sbin/tmpwatch. I'm still getting errors regarding /usr/bin/systemd-tmpfile I think it is relateds. Thanks
Did you mv a directory to /tmp that is labeled bin_t? find /tmp -printf "%P %Z\n" | grep bin_t. Then remove it if you do not want it.
Yup a couple, I just removed them. I'll let you know it the alert happens again. Thanks
Ok, please reopen the bug if you see an issue.