Additional info: libreport version: 2.0.13 kernel: 3.5.3-1.fc17.i686.PAE
Created attachment 609496 [details] File: type
Created attachment 609497 [details] File: hashmarkername
Oh, attachment seems no good... SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /root. ***** Plugin catchall (100. confidence) suggests *************************** If tmpwatch に、 root directory の read アクセスがデフォルトで許可されるべきです。 Then これをバグをして報告すべきです。 このアクセスを許可するために、ローカルポリシーモジュールを生成することができます。 Do このアクセスを一時的に許可するには、以下を実行してください。: # grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root [ dir ] Source tmpwatch Source Path /usr/sbin/tmpwatch Port <不明> Host (removed) Source RPM Packages tmpwatch-2.10.3-2.fc17.i686 Target RPM Packages filesystem-3-2.fc17.i686 Policy RPM selinux-policy-3.10.0-146.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.5.3-1.fc17.i686.PAE #1 SMP Wed Aug 29 19:04:57 UTC 2012 i686 i686 Alert Count 20 First Seen 2012-09-04 04:02:01 JST Last Seen 2012-09-04 04:02:50 JST Local ID ceaab0d9-c25f-4946-a1b1-d3418a4e35f2 Raw Audit Messages type=AVC msg=audit(1346698970.206:495): avc: denied { read } for pid=27740 comm="tmpwatch" name="root" dev="dm-0" ino=131074 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=SYSCALL msg=audit(1346698970.206:495): arch=i386 syscall=open success=no exit=EACCES a0=804c467 a1=8000 a2=0 a3=bff3e184 items=0 ppid=27717 pid=27740 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=38 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) Hash: tmpwatch,tmpreaper_t,admin_home_t,dir,read audit2allow #============= tmpreaper_t ============== allow tmpreaper_t admin_home_t:dir read; audit2allow -R #============= tmpreaper_t ============== allow tmpreaper_t admin_home_t:dir read;
# LANG=C df -k Filesystem 1K-blocks Used Available Use% Mounted on rootfs 22190620 4609328 16454076 22% / devtmpfs 764764 0 764764 0% /dev tmpfs 773364 240 773124 1% /dev/shm tmpfs 773364 2248 771116 1% /run /dev/mapper/vg00-lv01 22190620 4609328 16454076 22% / tmpfs 773364 0 773364 0% /sys/fs/cgroup tmpfs 773364 0 773364 0% /media /dev/sda1 715584 54588 624644 9% /boot /dev/sda2 1511856 35472 1399584 3% /tmp /dev/mapper/vg00-lv03 94857052 411324 89627196 1% /home
I have not noticed this before but it seems that this AVC is reproducible on other machine: From /var/log/messages: Sep 4 04:02:02 localhost kernel: [324294.275114] type=1400 audit(1346698922.109:73): avc: denied { read } for pid=9327 comm="tmpwatch" name="root" dev="sda2 " ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir Sep 4 04:04:13 localhost kernel: [324425.749280] type=1400 audit(1346699053.584:74): avc: denied { read } for pid=9464 comm="tmpwatch" name="root" dev="sda2 " ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
(In reply to comment #5) > I have not noticed this before but it seems that this AVC is reproducible on > other machine: > > From /var/log/messages: > Sep 4 04:02:02 localhost kernel: [324294.275114] type=1400 > audit(1346698922.109:73): avc: denied { read } for pid=9327 > comm="tmpwatch" name="root" dev="sda2 > " ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:admin_home_t:s0 tclass=dir > Sep 4 04:04:13 localhost kernel: [324425.749280] type=1400 > audit(1346699053.584:74): avc: denied { read } for pid=9464 > comm="tmpwatch" name="root" dev="sda2 > " ino=783362 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:admin_home_t:s0 tclass=dir # LANG=C df -k Filesystem 1K-blocks Used Available Use% Mounted on rootfs 20158332 10278684 8855648 54% / devtmpfs 764840 4 764836 1% /dev tmpfs 773440 312 773128 1% /dev/shm tmpfs 773440 2148 771292 1% /run /dev/sda2 20158332 10278684 8855648 54% / tmpfs 773440 0 773440 0% /sys/fs/cgroup tmpfs 773440 0 773440 0% /media /dev/sda1 705512 94648 575024 15% /boot /dev/mapper/VolGroup00-LogVol01 8063408 4215120 3438688 56% /var /dev/mapper/VolGroup00-LogVol00 8063408 152620 7501188 2% /tmp /dev/mapper/VolGroup00-LogVol03 225195500 38024072 175732120 18% /home
Could you try to execute in your terminal # find /tmp -printf "%P %Z\n" | grep admin_home_t
Will try tomorrow.
Miroslav it is definitely listing the contents of the /root directory. grep /root /etc/tmpwatch.d We should probably just allow this.
(In reply to comment #7) > Could you try to execute in your terminal > > # find /tmp -printf "%P %Z\n" | grep admin_home_t [root@localhost ~]# find /tmp -printf "%P %Z\n" | grep admin_home_t [root@localhost ~]#
(In reply to comment #10) > (In reply to comment #7) > > Could you try to execute in your terminal > > > > # find /tmp -printf "%P %Z\n" | grep admin_home_t > > [root@localhost ~]# find /tmp -printf "%P %Z\n" | grep admin_home_t > [root@localhost ~]# This result (i.e. the command returned nothing) is the same on 2 machines where this issue occrred.
(In reply to comment #9) > Miroslav it is definitely listing the contents of the /root directory. > > grep /root /etc/tmpwatch.d > > We should probably just allow this. Yes, in this case.
selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17
Package selinux-policy-3.10.0-149.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.