Bug 1195559

Summary: radicale selinux problems on /run/radicale/radicale.pid
Product: [Fedora] Fedora Reporter: John Heidemann <johnh>
Component: radicaleAssignee: Juan Orti <jorti>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 21CC: jorti, opensource
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: radicale-0.10-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 12:40:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Heidemann 2015-02-24 05:01:06 UTC
Description of problem:
radicale gives selinux problems on start


Version-Release number of selected component (if applicable):
0.10-1, grabbed from f22 and rebuilt against f21
(Also seems to happen with stock current 0.9-2)


How reproducible:
every time on restart

Steps to Reproduce:
1. systemctl restart radicale.service
2. see errors in systemctl status -l radicale.service
3.

Actual results:

output of status is:

Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from add_name access on the directory radicale.pid.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python2.7 should be allowed add_name access on the radicale.pid directory by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # grep radicale /var/log/audit/audit.log | audit2allow -M mypol
                                                          # semodule -i mypol.pp
                                                          
Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from add_name access on the directory radicale.pid.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python2.7 should be allowed add_name access on the radicale.pid directory by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # grep radicale /var/log/audit/audit.log | audit2allow -M mypol
                                                          # semodule -i mypol.pp
                                                          
Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from add_name access on the directory radicale.pid.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python2.7 should be allowed add_name access on the radicale.pid directory by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # grep radicale /var/log/audit/audit.log | audit2allow -M mypol
                                                          # semodule -i mypol.pp
                                                          
Feb 23 20:48:13 myserver python[30719]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /run/radicale/radicale.pid.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python2.7 should be allowed getattr access on the radicale.pid file by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # grep radicale /var/log/audit/audit.log | audit2allow -M mypol
                                                          # semodule -i mypol.pp


Expected results:
no such messages


Additional info:

suggested fix from grep radicale /var/log/audit/audit.log | audit2allow -M mypol

is this policy:

module mypol 1.0;

require {
	type radicale_t;
	type var_run_t;
	class dir { write remove_name add_name };
	class file { write create unlink open getattr };
}

#============= radicale_t ==============
allow radicale_t var_run_t:dir { write remove_name add_name };
allow radicale_t var_run_t:file { write create unlink open getattr };

I'm not an SELinux expert, but the selinux code in radicale-0.10-1 seems to not mention /var/run

Comment 1 Fedora Update System 2015-02-24 13:41:05 UTC
radicale-0.10-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/radicale-0.10-2.fc21

Comment 2 Fedora Update System 2015-02-25 09:57:05 UTC
radicale-0.10-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/radicale-0.10-2.fc20

Comment 3 Fedora Update System 2015-02-25 13:25:20 UTC
Package radicale-0.10-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing radicale-0.10-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2480/radicale-0.10-2.fc21
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2015-03-05 12:40:08 UTC
radicale-0.10-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-03-06 07:00:32 UTC
radicale-0.10-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.