Bug 1276922

Summary:	SELinux is preventing find from 'read' accesses on the directory repodata.
Product:	[Fedora] Fedora	Reporter:	Christian Stadelmann <fedora>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	24	CC:	abrt-devel-list, akees, brian, brian.murrell, cla.azzarello, dominick.grift, dvlasenk, dwalsh, enugazio, estes.chris72, fedora, iprikryl, jayabharat, jfilak, k.a.szmit, lvrabec, maxim.galamay, mgrepl, mhabrnal, michal.toman, mmilata, niki.guldbrand, obliterator666, plautrba, sheepdestroyer, thithithori37, xzj8b3, zyxsamys
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:9fb8200dcf856be7e19d40f68ba85b4430bf5b459c75ef68ef1130252bb12014;VARIANT_ID=workstation;
Fixed In Version:	selinux-policy-3.13.1-191.16.fc24	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-09-22 00:24:08 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1277654

Description Christian Stadelmann 2015-11-01 10:41:35 UTC

Description of problem:
This happened while dnf was running as root on cli and yumex-dnf was running as admin user looking at the dnf history database. At the same time https://bugzilla.redhat.com/show_bug.cgi?id=1276921 happened.
SELinux is preventing find from 'read' accesses on the directory repodata.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es find standardmässig erlaubt sein sollte, read Zugriff auf repodata directory zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep find /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:rpm_tmp_t:s0
Target Objects                repodata [ dir ]
Source                        find
Source Path                   find
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-152.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.3-300.fc23.x86_64 #1 SMP Mon
                              Oct 5 15:42:54 UTC 2015 x86_64 x86_64
Alert Count                   7
First Seen                    2015-11-01 11:38:20 CET
Last Seen                     2015-11-01 11:38:20 CET
Local ID                      7e5cfa36-9dca-4dba-a821-dca0e84692c3

Raw Audit Messages
type=AVC msg=audit(1446374300.719:693): avc:  denied  { read } for  pid=15519 comm="find" name="repodata" dev="dm-0" ino=17791 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass=dir permissive=0


Hash: find,abrt_t,rpm_tmp_t,dir,read

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

Comment 1 Michal Nowak 2015-11-05 10:35:21 UTC

Description of problem:
I used DNF at that time.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport

Comment 2 sheepdestroyer 2015-11-09 09:30:17 UTC

Description of problem:
put "n" as answer to update or not question from dnf :

...
...
Upgrade  56 Packages

Total download size: 122 M
Is this ok [y/N]:  n
Traceback (most recent call last):
  File "/bin/dnf", line 35, in <module>
    main.user_main(sys.argv[1:], exit_code=True)
  File "/usr/lib/python3.4/site-packages/dnf/cli/main.py", line 198, in user_main
    errcode = main(args)
  File "/usr/lib/python3.4/site-packages/dnf/cli/main.py", line 84, in main
    return _main(base, args)
  File "/usr/lib/python3.4/site-packages/dnf/cli/main.py", line 144, in _main
    ret = resolving(cli, base)
  File "/usr/lib/python3.4/site-packages/dnf/cli/main.py", line 173, in resolving
    base.do_transaction(display=displays)
  File "/usr/lib/python3.4/site-packages/dnf/cli/cli.py", line 200, in do_transaction
    if self.conf.assumeno or not self.output.userconfirm():
  File "/usr/lib/python3.4/site-packages/dnf/cli/output.py", line 631, in userconfirm
    choice = dnf.i18n.ucd_input(msg)
  File "/usr/lib/python3.4/site-packages/dnf/i18n.py", line 109, in ucd_input
    return dnf.pycomp.raw_input()
UnicodeDecodeError: 'utf-8' codec can't decode bytes in position 0-1: invalid continuation byte
[sheepdestroyer@sheepora ~] $ 

Version-Release number of selected component:
selinux-policy-3.13.1-153.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport

Comment 3 Jakub Filak 2015-11-20 11:17:31 UTC

This AVC is probably caused by dnf's EVENT=notify script which is run by abrtd:
https://github.com/rpm-software-management/dnf/blob/master/etc/collect_dnf.conf

Mirek, can you please take a look at the script?

The script makes copies of files from /var/cache/dnf, /var/tmp/dnf-${username}-* and /var/log/dnf.log and /var/log/dnf.transaction.log

Comment 4 Lukas Vrabec 2015-11-20 15:49:48 UTC

In this case we should allow it.

Comment 5 Kamil Szmit 2016-02-20 10:18:05 UTC

Description of problem:
Error was probably caused by DNF automatic updates.

Version-Release number of selected component:
selinux-policy-3.13.1-158.6.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport

Comment 6 Maxim Galamay 2016-02-22 19:48:38 UTC

Description of problem:
just run sudo dnf clean all

Version-Release number of selected component:
selinux-policy-3.13.1-158.6.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport

Comment 7 Christian Stadelmann 2016-04-06 22:22:23 UTC

Still present with selinux-policy-targeted-3.13.1-180.fc24.noarch

Comment 8 Lukas Vrabec 2016-04-12 10:15:49 UTC

Hi, 
Do you know where is repodata dir stored? I believe this dir should have rpm_var_cache_t label. Then, we have rules for this action.

$ sesearch -A -s abrt_t -t rpm_var_cache_t -p read -c dir 
Found 1 semantic av rules:
   allow abrt_t rpm_var_cache_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;

Comment 9 Christian Stadelmann 2016-04-12 11:37:56 UTC

@Lukas vrabec: I don't have any clue, no. Is there any file name or extension I can search for? I would expect it to be somewhere below /var/cache/dnf or /var/lib/dnf, since both dnf and yumex-dnf are using dnf api.

Comment 10 Lukas Vrabec 2016-04-21 14:18:02 UTC

*** Bug 1327241 has been marked as a duplicate of this bug. ***

Comment 11 Christian Stadelmann 2016-05-02 14:55:31 UTC

There is no `sesearch` command on my computer and `dnf provides sesearch` doesn't find one either.

Comment 12 Daniel Walsh 2016-05-02 18:16:11 UTC

dnf install setools-console

Comment 13 Christian Stadelmann 2016-05-02 19:04:05 UTC

Looks the same here:

$ sesearch -A -s abrt_t -t rpm_var_cache_t -p read -c dir
Found 1 semantic av rules:
   allow abrt_t rpm_var_cache_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;

Comment 14 Lukas Vrabec 2016-06-20 10:58:36 UTC

*** Bug 1344375 has been marked as a duplicate of this bug. ***

Comment 15 estes.chris72 2016-07-10 01:48:26 UTC

Description of problem:
I was installing OSSEC client on Fedora 24. The commands that I ran were as follows:

# wget -q -O – https://www.atomicorp.com/installers/atomic | sh 
# dnf install ossec-hids ossec-hids-client

The following error came up after entering the second command:

Running transaction
  Installing  : inotify-tools-3.14-10.fc24.x86_64                           1/3 
  Installing  : ossec-hids-2.8.3-51.fc24.art.x86_64                         2/3 
  Installing  : ossec-hids-client-2.8.3-51.fc24.art.x86_64                  3/3 
Restarting ossec-hids (via systemctl):  Job for ossec-hids.service failed because the control process exited with error code. See "systemctl status ossec-hids.service" and "journalctl -xe" for details.
[FAILED]
^Cwarning: %triggerin(man-db-2.7.5-3.fc24.x86_64) scriptlet failed, signal 2
Traceback (most recent call last):
  File "/usr/lib/python3.5/site-packages/dnf/yum/rpmtrans.py", line 427, in callback
    self._scriptError(bytes, total, h)
  File "/usr/lib/python3.5/site-packages/dnf/yum/rpmtrans.py", line 557, in _scriptError
    pkg, _, _ = self._extract_cbkey(h)
  File "/usr/lib/python3.5/site-packages/dnf/yum/rpmtrans.py", line 229, in _extract_cbkey
    return self._extract_str_cbkey(cbkey)
  File "/usr/lib/python3.5/site-packages/dnf/yum/rpmtrans.py", line 237, in _extract_str_cbkey
    assert(isinstance(name, basestring))
AssertionError
FATAL ERROR: python callback ??? failed, aborting!

I am not sure how to reproduce.

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.5.7-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 16 Brian J. Murrell 2016-09-14 01:51:34 UTC

Description of problem:
Not sure what caused this.

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
type:           libreport

Comment 17 Claudio Azzarello 2016-09-15 11:51:42 UTC

Description of problem:
I was running "sudo dnf update". At the end of the process the window was freeze.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport

Comment 18 Fedora Update System 2016-09-16 00:53:15 UTC

selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6

Comment 19 Fedora Update System 2016-09-22 00:24:08 UTC

selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 enrico ugazio 2016-10-06 22:53:08 UTC

Description of problem:
i dnf update esecute the command but the system interrupt

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.7.5-200.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport