SELinux blocking tmpwatch

ajamison · #1 20th December 2007, 03:18 AM

I have SELinux on and occationaly i get an alert saying that it blocked an attemp to delete a temp file generated by SSH I can only imaging this was intiated by the tmp watch script but I am not possitive on the matter

I will post the specific error in a few minutes I need to switch to Linux

Ok so maybe it is not a specific tmp watch error it appears to have something to do with the firewall.

Code:

Summary
    SELinux is preventing the /sbin/ifconfig from using potentially mislabeled
    files (/tmp/sh-thd-1197833845 (deleted)).

Detailed Description
    SELinux has denied /sbin/ifconfig access to potentially mislabeled file(s)
    (/tmp/sh-thd-1197833845 (deleted)).  This means that SELinux will not allow
    /sbin/ifconfig to use these files.  It is common for users to edit files in
    their home directory or tmp directories and then move (mv) them to system
    directories.  The problem is that the files end up with the wrong file
    context which confined applications are not allowed to access.

Allowing Access
    If you want /sbin/ifconfig to access this files, you need to relabel them
    using restorecon -v /tmp/sh-thd-1197833845 (deleted).  You might want to
    relabel the entire directory using restorecon -R -v /tmp.

Additional Information        

Source Context                system_u:system_r:ifconfig_t:s0
Target Context                system_u:object_r:rpm_script_tmp_t:s0
Target Objects                /tmp/sh-thd-1197833845 (deleted) [ file ]
Affected RPM Packages         net-tools-1.60-84.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-64.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     f8desktop
Platform                      Linux f8desktop 2.6.23.8-63.fc8 #1 SMP Wed Nov 21
                              18:51:08 EST 2007 i686 i686
Alert Count                   2
First Seen                    Sun 16 Dec 2007 12:46:30 PM EST
Last Seen                     Sun 16 Dec 2007 12:46:30 PM EST
Local ID                      b43ff6aa-d40a-4bb7-8804-06470b99edf4
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=ifconfig dev=dm-0 egid=0 euid=0 exe=/sbin/ifconfig
exit=0 fsgid=0 fsuid=0 gid=0 items=0
path=2F746D702F73682D7468642D31313937383333383435202864656C6574656429 pid=19398
scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0

Now I have tried to remedy this by the recomended steps and I even went as far as to relabel the entire drive. What I found is that only seems to fix it for a few days then this hapens again

Open Office seems to take advantage of some memory thing as well I had to edit the policy per the instructions in the folowing error to prevent the error from happening it would happen every time i loaded it

Code:

Summary
    SELinux is preventing /usr/lib/openoffice.org/program/swriter.bin from
    changing the access protection of memory on the heap.

Detailed Description
    The /usr/lib/openoffice.org/program/swriter.bin application attempted to
    change the access protection of memory on the heap (e.g., allocated using
    malloc).  This is a potential security problem.  Applications should not be
    doing this. Applications are sometimes coded incorrectly and request this
    permission.  The http://people.redhat.com/drepper/selinux-mem.html web page
    explains how to remove this requirement.  If
    /usr/lib/openoffice.org/program/swriter.bin does not work and you need it to
    work, you can configure SELinux temporarily to allow this access until the
    application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you want /usr/lib/openoffice.org/program/swriter.bin to continue, you
    must turn on the allow_execheap boolean.  Note: This boolean will affect all
    applications on the system.

    The following command will allow this access:
    setsebool -P allow_execheap=1

Additional Information        

Source Context                system_u:system_r:unconfined_execmem_t:s0-s0:c0.c1
                              023
Target Context                system_u:system_r:unconfined_execmem_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Affected RPM Packages         openoffice.org-writer-2.3.0-6.7.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-64.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execheap
Host Name                     f8desktop
Platform                      Linux f8desktop 2.6.23.8-63.fc8 #1 SMP Wed Nov 21
                              18:51:08 EST 2007 i686 i686
Alert Count                   2
First Seen                    Thu 06 Dec 2007 04:51:14 PM EST
Last Seen                     Tue 18 Dec 2007 06:51:30 PM EST
Local ID                      f76cbdfd-9350-4490-a5e1-fb8011e339e1
Line Numbers                  

Raw Audit Messages            

avc: denied { execheap } for comm=swriter.bin egid=500 euid=500
exe=/usr/lib/openoffice.org/program/swriter.bin exit=-13 fsgid=500 fsuid=500
gid=500 items=0 pid=828
scontext=system_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 suid=500
tclass=process tcontext=system_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023
tty=(none) uid=500