854078 – SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /root.

Bug 854078 - SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /root.

Summary: SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the director...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:334cde2c7f2267385bfc88bda29...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-04 00:51 UTC by Mamoru TASAKA
Modified:	2012-09-22 00:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-09-22 00:00:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: type (9 bytes, text/plain) 2012-09-04 00:51 UTC, Mamoru TASAKA	no flags	Details
File: hashmarkername (14 bytes, text/plain) 2012-09-04 00:51 UTC, Mamoru TASAKA	no flags	Details
View All

Description Mamoru TASAKA 2012-09-04 00:51:29 UTC

Additional info:
libreport version: 2.0.13
kernel:         3.5.3-1.fc17.i686.PAE

Comment 1 Mamoru TASAKA 2012-09-04 00:51:31 UTC

Created attachment 609496 [details]
File: type

Comment 2 Mamoru TASAKA 2012-09-04 00:51:33 UTC

Created attachment 609497 [details]
File: hashmarkername

Comment 3 Mamoru TASAKA 2012-09-04 00:54:57 UTC

Oh, attachment seems no good...


SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /root.

*****  Plugin catchall (100. confidence) suggests  ***************************

If tmpwatch に、 root directory の read アクセスがデフォルトで許可されるべきです。   
Then これをバグをして報告すべきです。 
このアクセスを許可するために、ローカルポリシーモジュールを生成することができます。
Do
このアクセスを一時的に許可するには、以下を実行してください。:
# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <不明>
Host                          (removed)
Source RPM Packages           tmpwatch-2.10.3-2.fc17.i686
Target RPM Packages           filesystem-3-2.fc17.i686
Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.5.3-1.fc17.i686.PAE #1 SMP Wed
                              Aug 29 19:04:57 UTC 2012 i686 i686
Alert Count                   20
First Seen                    2012-09-04 04:02:01 JST
Last Seen                     2012-09-04 04:02:50 JST
Local ID                      ceaab0d9-c25f-4946-a1b1-d3418a4e35f2

Raw Audit Messages
type=AVC msg=audit(1346698970.206:495): avc:  denied  { read } for  pid=27740 comm="tmpwatch" name="root" dev="dm-0" ino=131074 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1346698970.206:495): arch=i386 syscall=open success=no exit=EACCES a0=804c467 a1=8000 a2=0 a3=bff3e184 items=0 ppid=27717 pid=27740 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=38 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)

Hash: tmpwatch,tmpreaper_t,admin_home_t,dir,read

audit2allow

#============= tmpreaper_t ==============
allow tmpreaper_t admin_home_t:dir read;

audit2allow -R

#============= tmpreaper_t ==============
allow tmpreaper_t admin_home_t:dir read;

Comment 4 Mamoru TASAKA 2012-09-04 00:56:59 UTC

# LANG=C df -k
Filesystem            1K-blocks    Used Available Use% Mounted on
rootfs                 22190620 4609328  16454076  22% /
devtmpfs                 764764       0    764764   0% /dev
tmpfs                    773364     240    773124   1% /dev/shm
tmpfs                    773364    2248    771116   1% /run
/dev/mapper/vg00-lv01  22190620 4609328  16454076  22% /
tmpfs                    773364       0    773364   0% /sys/fs/cgroup
tmpfs                    773364       0    773364   0% /media
/dev/sda1                715584   54588    624644   9% /boot
/dev/sda2               1511856   35472   1399584   3% /tmp
/dev/mapper/vg00-lv03  94857052  411324  89627196   1% /home

Comment 5 Mamoru TASAKA 2012-09-04 01:58:39 UTC

I have not noticed this before but it seems that this AVC is reproducible on other machine:

From /var/log/messages:
Sep  4 04:02:02 localhost kernel: [324294.275114] type=1400 audit(1346698922.109:73): avc:  denied  { read } for  pid=9327 comm="tmpwatch" name="root" dev="sda2
" ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Sep  4 04:04:13 localhost kernel: [324425.749280] type=1400 audit(1346699053.584:74): avc:  denied  { read } for  pid=9464 comm="tmpwatch" name="root" dev="sda2
" ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

Comment 6 Mamoru TASAKA 2012-09-04 02:14:48 UTC

(In reply to comment #5)
> I have not noticed this before but it seems that this AVC is reproducible on
> other machine:
> 
> From /var/log/messages:
> Sep  4 04:02:02 localhost kernel: [324294.275114] type=1400
> audit(1346698922.109:73): avc:  denied  { read } for  pid=9327
> comm="tmpwatch" name="root" dev="sda2
> " ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> Sep  4 04:04:13 localhost kernel: [324425.749280] type=1400
> audit(1346699053.584:74): avc:  denied  { read } for  pid=9464
> comm="tmpwatch" name="root" dev="sda2
> " ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

# LANG=C df -k
Filesystem                      1K-blocks      Used Available Use% Mounted on
rootfs                           20158332  10278684   8855648  54% /
devtmpfs                           764840         4    764836   1% /dev
tmpfs                              773440       312    773128   1% /dev/shm
tmpfs                              773440      2148    771292   1% /run
/dev/sda2                        20158332  10278684   8855648  54% /
tmpfs                              773440         0    773440   0% /sys/fs/cgroup
tmpfs                              773440         0    773440   0% /media
/dev/sda1                          705512     94648    575024  15% /boot
/dev/mapper/VolGroup00-LogVol01   8063408   4215120   3438688  56% /var
/dev/mapper/VolGroup00-LogVol00   8063408    152620   7501188   2% /tmp
/dev/mapper/VolGroup00-LogVol03 225195500  38024072 175732120  18% /home

Comment 7 Miroslav Grepl 2012-09-04 09:03:16 UTC

Could you try to execute in your terminal

# find /tmp -printf "%P %Z\n" | grep admin_home_t

Comment 8 Mamoru TASAKA 2012-09-04 10:56:24 UTC

Will try tomorrow.

Comment 9 Daniel Walsh 2012-09-04 20:19:05 UTC

Miroslav it is definitely listing the contents of the /root directory.

grep /root /etc/tmpwatch.d

We should probably just allow this.

Comment 10 Mamoru TASAKA 2012-09-05 00:13:58 UTC

(In reply to comment #7)
> Could you try to execute in your terminal
> 
> # find /tmp -printf "%P %Z\n" | grep admin_home_t

[root@localhost ~]# find /tmp -printf "%P %Z\n" | grep admin_home_t
[root@localhost ~]#

Comment 11 Mamoru TASAKA 2012-09-05 00:17:52 UTC

(In reply to comment #10)
> (In reply to comment #7)
> > Could you try to execute in your terminal
> > 
> > # find /tmp -printf "%P %Z\n" | grep admin_home_t
> 
> [root@localhost ~]# find /tmp -printf "%P %Z\n" | grep admin_home_t
> [root@localhost ~]#

This result (i.e. the command returned nothing) is the same on
2 machines where this issue occrred.

Comment 12 Miroslav Grepl 2012-09-05 04:33:09 UTC

(In reply to comment #9)
> Miroslav it is definitely listing the contents of the /root directory.
> 
> grep /root /etc/tmpwatch.d
> 
> We should probably just allow this.

Yes, in this case.

Comment 13 Fedora Update System 2012-09-17 12:14:23 UTC

selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17

Comment 14 Fedora Update System 2012-09-19 02:55:58 UTC

Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2012-09-22 00:00:03 UTC

selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.