Bug 1104076

Summary: SELinux is preventing /usr/sbin/aiccu from 'search' accesses on the directory .
Product: [Fedora] Fedora Reporter: Seb L. <D8F55524>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, laurent.rineau__fedora, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:c63e40c420a40c9f4bab50d3e5ce970bea55baed609415e3b7d963a79ad96cab
Fixed In Version: selinux-policy-3.12.1-189.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-16 02:00:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Seb L. 2014-06-03 08:54:56 UTC 
Description of problem:
Bug happens whenever starting aiccu
SELinux is preventing /usr/sbin/aiccu from 'search' accesses on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that aiccu should be allowed search access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep aiccu /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:aiccu_t:s0
Target Context                system_u:object_r:config_home_t:s0
Target Objects                 [ dir ]
Source                        aiccu
Source Path                   /usr/sbin/aiccu
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           aiccu-2007.01.15-17.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-166.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.14.4-200.fc20.x86_64 #1 SMP Tue
                              May 13 13:51:08 UTC 2014 x86_64 x86_64
Alert Count                   3
First Seen                    2014-06-03 10:50:40 CEST
Last Seen                     2014-06-03 10:52:51 CEST
Local ID                      23d115a9-8931-4f39-afe7-f5a5383e94d3

Raw Audit Messages
type=AVC msg=audit(1401785571.499:126): avc:  denied  { search } for  pid=2614 comm="aiccu" name=".config" dev="dm-0" ino=673652 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1401785571.499:126): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=1b8e3e0 a2=90800 a3=0 items=0 ppid=1 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=aiccu exe=/usr/sbin/aiccu subj=system_u:system_r:aiccu_t:s0 key=(null)

Hash: aiccu,aiccu_t,config_home_t,dir,search

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.14.4-200.fc20.x86_64
type:           libreport
Comment 1 Seb L. 2014-06-25 08:15:30 UTC 
Description of problem:
SELinux alert whenever starting aiccu from command-line:
  service aiccu start

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.14.8-200.fc20.x86_64
type:           libreport
Comment 2 Laurent Rineau 2014-09-30 10:19:58 UTC 
Description of problem:
I did:
   sudo semanage permissive -a dnssec_trigger_t
   sudo systemctl restart dnssec-triggerd.service
as requested by bug #1146109.

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.2-201.fc20.x86_64
type:           libreport
Comment 3 Lukas Vrabec 2014-10-07 11:26:51 UTC 
Did anything broken, or you just see selinux alert?
Comment 4 Seb L. 2014-10-07 11:29:40 UTC 
Everything is working OK, but I get this selinux alert (so I guess aiccu does not actually need this search access).
Comment 5 Lukas Vrabec 2014-10-07 11:35:08 UTC 
Agree, thank you for response.
Comment 6 Lukas Vrabec 2014-10-07 11:39:39 UTC 
commit 6fd3230f47d337efdcf2d2a24dfc93a558383c8d
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 7 13:38:09 2014 +0200

    Dontaudit aicuu to search home config dir. BZ (#1104076)

https://github.com/selinux-policy/selinux-policy/commit/6fd3230f47d337efdcf2d2a24dfc93a558383c8d
Comment 7 Laurent Rineau 2014-10-07 11:54:38 UTC 
As aiccu uses gnuTLS, it might be that it tries to search and read $HOME/.config/pkcs11/ config file.
Comment 8 Fedora Update System 2014-10-07 13:36:26 UTC 
selinux-policy-3.12.1-189.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-189.fc20
Comment 9 Fedora Update System 2014-10-08 19:02:21 UTC 
Package selinux-policy-3.12.1-189.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-189.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12350/selinux-policy-3.12.1-189.fc20
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2014-10-16 02:00:52 UTC 
selinux-policy-3.12.1-189.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.