Linux – SELinux denied access

fedoraselinux

I keep receiving this message from SELinux in a bug report. I am running Fedora 13 and I am learning as I go. What might be causing this?

Summary:

SELinux is preventing /usr/sbin/semodule access to a leaked /tmp/tmpGTbWYh file
descriptor.

Detailed Description:

[semodule has a permissive type (semanage_t). This access was not denied.]

SELinux denied access requested by the semodule command. It looks like this is
either a leaked descriptor or semodule output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the  leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /tmp/tmpGTbWYh. You should generate a bugzilla on selinux-policy, and it
will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:semanage_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                /tmp/tmpGTbWYh [ file ]
Source                        semodule
Source Path                   /usr/sbin/semodule
Port                          <Unknown>
Source RPM Packages           policycoreutils-2.0.83-28.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-62.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks

Best Answer

This probably happened after an update of the system, and as temporary file are usually not needed after a reboot, I'd try to delete the file.

fuser /tmp/tmpGTbWYh

With this command you see if the file is used by any process and will give you one or more numbers (Process ID, PID).

No numbers it means the process is not used and you can delete safely the file

rm /tmp/tmpGTbWYh

Do the above with a user that have the rights to do it (your user? root?), you can check this with an ls

ls -l /tmp/tmpGTbWYh

If the file is used by any process you can do a ps and filter by each PID you found with the execution of the fuser

ps -ef | grep $PID

You must substitute $PID with numbers found above (with fuser).

At this point you should decide if you can, identify the aplication is using the file and close it if you can, or kill the process (kill $PID), or delete the file anyway (it maybe be risky).

If you have troubles to decide let us know.

Related Solutions

Linux – SELinux httpd write access to a directory

Here's how to permanently change the context of a directory:

# install semanage if you don't already have it. It'll be one of:
yum install policycoreutils-python
dnf install policycoreutils-python-utils

# give the directory a new default context. The part at the end is a regex.
semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/directory(/.*)?"

# apply the default context to the directory
restorecon -R /path/to/directory

Here's some more documentation on the different contexts for httpd:

RHEL 8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/configuring-selinux-for-applications-and-services-with-non-standard-configurations_using-selinux#customizing-the-selinux-policy-for-the-apache-http-server-in-a-non-standard-configuration_configuring-selinux-for-applications-and-services-with-non-standard-configurations

RHEL 7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types.html

RHEL 6: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types.html

Linux – How to transition into another domain when invoking sudo

You can specify a transition in a custom policy file (.te) like this:

module collectdlocalexec 1.0;

require {
        type collectd_t;
        type user_home_t;
        type unconfined_t;
        type shell_exec_t;
        class capability {setgid setuid };
        class file { execute read open };
        class process transition;
}

allow collectd_t self:capability { setgid setuid };
allow collectd_t user_home_t:file { execute read open };
allow collectd_t shell_exec_t:file execute;
allow collectd_t unconfined_t:process transition;

type_transition collectd_t user_home_t:process unconfined_t;

Assuming that the collection script is located under a user's home directory (and that is labeled with user_home_t).

Best Answer

Related Solutions

Linux – SELinux httpd write access to a directory

Linux – How to transition into another domain when invoking sudo

Related Question