Bug 1271209
| Summary: | add file context for /usr/libexec/mock/mock | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Miroslav Suchý <msuchy> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-93.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1270972 | Environment: | |
| Last Closed: | 2016-11-04 02:23:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1270972, 1271211 | ||
| Bug Blocks: | 1246810 | ||
|
Description
Miroslav Suchý
2015-10-13 11:46:08 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions The test is IMHO incorrect. Mock does not yet have the script in /usr/libexec/mock/mock. The script can be moved only and only after the selinux policy will change. So you cannot test functionality of mock per se. Test should be as simple as touch /usr/libexec/mock/mock ls -lZ /usr/libexec/mock/mock ls -lZ /usr/sbin/mock and compare that those files have identical selinux context. Both files have the same context: # matchpathcon /usr/libexec/mock/mock /usr/libexec/mock/mock system_u:object_r:mock_exec_t:s0 # matchpathcon /usr/sbin/mock /usr/sbin/mock system_u:object_r:mock_exec_t:s0 # There are several transitions into the mock_t domain. I chose one of them (staff_t, one of the confined users) and the AVCs were results of running the mock program in that domain: # sesearch -t mock_exec_t -T Found 5 semantic te rules: type_transition staff_consolehelper_t mock_exec_t : process mock_t; type_transition abrt_retrace_worker_t mock_exec_t : process mock_t; type_transition rhev_agentd_consolehelper_t mock_exec_t : process mock_t; type_transition realmd_consolehelper_t mock_exec_t : process mock_t; type_transition staff_t mock_exec_t : process mock_t; # rpm -qa selinux-policy\* selinux-policy-doc-3.13.1-68.el7.noarch selinux-policy-3.13.1-68.el7.noarch selinux-policy-targeted-3.13.1-68.el7.noarch selinux-policy-mls-3.13.1-68.el7.noarch selinux-policy-sandbox-3.13.1-68.el7.noarch selinux-policy-minimum-3.13.1-68.el7.noarch selinux-policy-devel-3.13.1-68.el7.noarch # Milos, Could you run it in permissive mode? Thank you. I believe you will need to run it also with semodule -DB to collect all needed AVCs. This is weird, that you don't catch AVCs from comment 12. Milos, Could you create local policy to check if it working with these rules? Thank you! Hmm what does it mean? That mock_t is trying to open /etc/pki/nssdb/key4.db? This seems to do urlgrabber, which should be ok. Does this happen when urlgrabber is trying to access https pages? Or I am reading the logs incorrectly? The AVCs mentioned in comment#22 are generated by urlgrabber (comm=urlgrabber-ext-), but the urlgrabber process still runs under mock_t, because transition from mock_t to rpm_t (yum) is not allowed. If it was allowed then urlgrabber would run under the same context as yum and everything would be fine. I don't see a way for this transition. There is no rpm_exec_t labeling for urlgrabber. Milos, does it work correctly though AVC msgs. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |