Bug 1327130

Summary: selinux-policy upgrade denies abrt-server access to /var/cache/dnf/*
Product: [Fedora] Fedora Reporter: ILMostro <ilmostro7>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 23CC: dominick.grift, dwalsh, ilmostro7, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-20 19:57:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description ILMostro 2016-04-14 10:15:13 UTC 
Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-158.11.fc23.noarch



Description of problem:

selinux-policy upgrade denies abrt-server access to /var/cache/dnf/*.

To be honest, I'm not even sure how to categorise this one.  After an upgrade--and reboot--dnf tool failed with error message (NOT RELATED TO THIS! bug 1327099 ).  The abrt-server attempted to gather information, I guess, and setroubleshoot (which was ALSO upgraded at the same time as dnf) started showing denial errors in journal logs.

The following text shows the updates of the selinux-related tools:

```
 Upgraded   selinux-policy-3.13.1-158.11.fc23.noarch          @@commandline
    Upgrade                   3.13.1-158.12.fc23.noarch          @updates
    Upgraded   selinux-policy-devel-3.13.1-158.11.fc23.noarch    @@commandline
    Upgrade                         3.13.1-158.12.fc23.noarch    @updates
    Upgraded   selinux-policy-doc-3.13.1-158.11.fc23.noarch      @@commandline
    Upgrade                       3.13.1-158.12.fc23.noarch      @updates
    Upgraded   selinux-policy-mls-3.13.1-158.11.fc23.noarch      @@commandline
    Upgrade                       3.13.1-158.12.fc23.noarch      @updates
    Upgraded   selinux-policy-sandbox-3.13.1-158.11.fc23.noarch  @@commandline
    Upgrade                           3.13.1-158.12.fc23.noarch  @updates
    Upgraded   selinux-policy-targeted-3.13.1-158.11.fc23.noarch @@commandline
    Upgrade                            3.13.1-158.12.fc23.noarch @updates
    Upgraded   setroubleshoot-3.3.4-1.fc23.i686                  @@commandline
    Upgrade                   3.3.5-2.fc23.i686                  @updates
    Upgraded   setroubleshoot-plugins-3.3.2-1.fc23.noarch        @@commandline
    Upgrade                           3.3.3-1.fc23.noarch        @updates
    Upgraded   setroubleshoot-server-3.3.4-1.fc23.i686           @@commandline
    Upgrade                          3.3.5-2.fc23.i686           @updates
```


So, I'm not sure if this is due to 

- the updated selinux-related tools
- the updated dnf-related packages (/var/cache/dnf/ subdirs)
- wrong selinux labels on the directories ( var_cache_t )

------------------------------------------------

The following text shows the relevant lines of text in the journal log:

```
Apr 14 04:20:58 babinkomp.airportx.lan audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? ter
minal=? res=failed'
Apr 14 04:20:59 babinkomp.airportx.lan python3[2964]: detected unhandled Python exception in '/usr/bin/dnf'
Apr 14 04:20:59 babinkomp.airportx.lan dbus[767]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Apr 14 04:21:00 babinkomp.airportx.lan dbus[767]: [system] Successfully activated service 'org.freedesktop.problems'
Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc:  denied  { read } for  pid=2992 comm="find" name="repodata" dev="dm-0" ino=2093606 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass
=dir permissive=0
Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc:  denied  { read } for  pid=2992 comm="find" name="repodata" dev="dm-0" ino=2094591 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass
=dir permissive=0
Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc:  denied  { read } for  pid=2992 comm="find" name="repodata" dev="dm-0" ino=2093300 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass
=dir permissive=0
Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc:  denied  { read } for  pid=2992 comm="find" name="repodata" dev="dm-0" ino=2094237 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass
=dir permissive=0
Apr 14 04:21:00 babinkomp.airportx.lan dbus[767]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-nonfree-updates-testing-6ba7c5eb0f1e12ff/repodata’: Permission denied
Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata’: Permission denied
Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-free-updates-testing-87b68c9319105f04/repodata’: Permission denied
Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata’: Permission denied
Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc:  denied  { read } for  pid=2992 comm="find" name="repodata" dev="dm-0" ino=2093322 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass
=dir permissive=0
Apr 14 04:21:00 babinkomp.airportx.lan audit[2992]: AVC avc:  denied  { read } for  pid=2992 comm="find" name="repodata" dev="dm-0" ino=2094410 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmp_t:s0 tclass
=dir permissive=0
Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/updates-96b7b648a31a001b/repodata’: Permission denied
Apr 14 04:21:00 babinkomp.airportx.lan abrt-server[2969]: find: ‘/var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata’: Permission denied
Apr 14 04:21:01 babinkomp.airportx.lan dbus[767]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Apr 14 04:21:02 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory repodata. For complete SELinux messages. run sealert -l e05c3860-a20b-4a89-b0ee-c248c4576d60
Apr 14 04:21:02 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory repodata.
                                                      
                                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                                      
                                                      If you believe that find should be allowed read access on the repodata directory by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # ausearch -c find --raw | audit2allow -M mypol
                                                      # semodule -i mypol.pp
                                                      
Apr 14 04:21:03 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata
Apr 14 04:21:03 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata. For complete SELinux messages. run sealert -l e05c3860-a2
0b-4a89-b0ee-c248c4576d60
Apr 14 04:21:03 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-nonfree-5cfe49eb66844049/repodata.
                                                      
                                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                                      
                                                      If you believe that find should be allowed read access on the repodata directory by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # ausearch -c find --raw | audit2allow -M mypol
                                                      # semodule -i mypol.pp
                                                      
Apr 14 04:21:03 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory repodata. For complete SELinux messages. run sealert -l e05c3860-a20b-4a89-b0ee-c248c4576d60
Apr 14 04:21:03 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory repodata.
                                                      
                                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                                      
                                                      If you believe that find should be allowed read access on the repodata directory by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # ausearch -c find --raw | audit2allow -M mypol
                                                      # semodule -i mypol.pp
                                                      
Apr 14 04:21:04 babinkomp.airportx.lan python3[2964]: communication with ABRT daemon failed: timed out
Apr 14 04:21:06 babinkomp.airportx.lan sedispatch[759]: timeout flush
Apr 14 04:21:06 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata
Apr 14 04:21:07 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata. For complete SELinux messages. run sealert -l e05c3860-a20
b-4a89-b0ee-c248c4576d60
Apr 14 04:21:07 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/adobe-linux-i386-e8be5a0311beef74/repodata.
                                                      
                                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                                      
                                                      If you believe that find should be allowed read access on the repodata directory by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # ausearch -c find --raw | audit2allow -M mypol
                                                      # semodule -i mypol.pp
                                                      
Apr 14 04:21:09 babinkomp.airportx.lan sedispatch[759]: timeout flush
Apr 14 04:21:10 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/updates-96b7b648a31a001b/repodata
Apr 14 04:21:10 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/updates-96b7b648a31a001b/repodata. For complete SELinux messages. run sealert -l e05c3860-a20b-4a89-b0
ee-c248c4576d60
Apr 14 04:21:10 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/updates-96b7b648a31a001b/repodata.
                                                      
                                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                                      
                                                      If you believe that find should be allowed read access on the repodata directory by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # ausearch -c find --raw | audit2allow -M mypol
                                                      # semodule -i mypol.pp
                                                      
Apr 14 04:21:10 babinkomp.airportx.lan abrt-server[2969]: cp: cannot stat ‘/var/log/dnf.transaction.log’: No such file or directory
Apr 14 04:21:13 babinkomp.airportx.lan sedispatch[759]: timeout flush
Apr 14 04:21:13 babinkomp.airportx.lan setroubleshoot[2994]: failed to retrieve rpm info for /var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata
Apr 14 04:21:13 babinkomp.airportx.lan setroubleshoot[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata. For complete SELinux messages. run sealert -l e05c3860-a20b-
4a89-b0ee-c248c4576d60
Apr 14 04:21:13 babinkomp.airportx.lan python3[2994]: SELinux is preventing find from read access on the directory /var/cache/dnf/rpmfusion-free-6740a20e6b884619/repodata.
                                                      
                                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                                      
                                                      If you believe that find should be allowed read access on the repodata directory by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # ausearch -c find --raw | audit2allow -M mypol
                                                      # semodule -i mypol.pp
Comment 1 ILMostro 2016-04-14 10:26:22 UTC 
Sorry, I mistakenly stated that fcontext was "var_cache_t" instead of "rpm_var_cache_t".  The following is a list of the SELinux labels for the existing directories and files in "/var/cache/dnf/.":

```
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0

unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
system_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0
unconfined_u:object_r:rpm_var_cache_t:s0

system_u:object_r:rpm_var_cache_t:s0
```
Comment 2 Miroslav Grepl 2016-05-05 20:10:58 UTC 
Ok so /var/cache/dnf is labeled correctly, right?
Comment 3 Fedora Admin XMLRPC Client 2016-09-27 14:59:32 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 ILMostro 2016-11-07 14:57:30 UTC 
Hi,

This was a while ago, but I did provide the file context SELinux labels in my previous comments.  Based on that information, you can see that they were, indeed, labelled correctly.
Comment 5 ILMostro 2016-11-07 15:21:00 UTC 
Additionally, I'd like to point out that I ended up resolving this issue, though, due to the age of this report, I am not sure how I had done that.  Once again, based on the context labels in Comment 1, it appears that the complaints were showing **MLS** labelled files/directories; and `selinux-policy-targeted` as well as `selinux-policy-mls` were installed.  At this time, the following SELinux labels are on the same system where the issue was reported and resolved (somehow).

~~~
[09:11][1005]# ls -alhZ /var/cache/dnf/updates-96b7b648a31a001b/
total 48K
drwxr-xr-x.  4 root root unconfined_u:object_r:rpm_var_cache_t:s0 4.0K Nov  7 00:51 .
drwxr-xr-x. 22 root root system_u:object_r:rpm_var_cache_t:s0     4.0K Nov  7 09:11 ..
-rw-r--r--.  1 root root system_u:object_r:rpm_tmp_t:s0           7.8K Nov  7 00:51 metalink.xml
drwxr-xr-x.  2 root root unconfined_u:object_r:rpm_var_cache_t:s0  24K Oct  7 12:39 packages
drwxr-xr-x.  2 root root system_u:object_r:rpm_tmp_t:s0           4.0K Nov  7 00:51 repodata
~~~
Comment 6 Fedora End Of Life 2016-11-25 07:21:16 UTC 
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 7 Fedora End Of Life 2016-12-20 19:57:37 UTC 
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.