Bug 1824265

Summary: SELinux is preventing abrt-action-sav from 'write' accesses on the file /var/lib/rpm/rpmdb.sqlite-shm.
Product: [Fedora] Fedora Reporter: Mattia Verga <mattia.verga>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, grepl.miroslav, igor.raits, lvrabec, mjw, packaging-team-maint, plautrba, pmatilai, pmoravco, vmojzis, vmukhame, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:53b69c22b90dfec56a10860d72a15336c0bd135bd2be140760c745f80e100ee3;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-16 05:54:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mattia Verga 2020-04-15 16:36:07 UTC 
Description of problem:
This started popping out after I've switched RPM database to sqlite
SELinux is preventing abrt-action-sav from 'write' accesses on the file /var/lib/rpm/rpmdb.sqlite-shm.

*****  Plugin restorecon (94.8 confidence) suggests   ************************

Se vuoi fissare l'etichetta.$TARGETL'etichetta predefinita _PATH dovrebbe essere rpm_var_lib_t.
Then puoi eseguire restorecon. Il tentativo di accesso potrebbe essere stato interrotto a causa di autorizzazioni insufficienti per accedere a una directory superiore, nel qual caso provare a modificare il seguente comando di conseguenza.
Do
# /sbin/restorecon -v /var/lib/rpm/rpmdb.sqlite-shm

*****  Plugin catchall_labels (5.21 confidence) suggests   *******************

Se vuoi abilitare abrt-action-sav ad avere write accesso al rpmdb.sqlite-shm file
Then e' necessario modificare l'etichetta su /var/lib/rpm/rpmdb.sqlite-shm
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/rpm/rpmdb.sqlite-shm'
dove FILE_TYPE รจ uno dei seguenti: abrt_etc_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, afs_cache_t, initrc_tmp_t, kdump_crash_t, mail_home_rw_t, mock_var_lib_t, postfix_postdrop_t, puppet_tmp_t, rhsmcertd_var_run_t, rpm_log_t, rpm_var_cache_t, rpm_var_run_t, sysfs_t, user_cron_spool_t, user_tmp_t, usr_t.
Successivamente, eseguire:
restorecon -v '/var/lib/rpm/rpmdb.sqlite-shm'


*****  Plugin catchall (1.44 confidence) suggests   **************************

Se ci credi abrt-action-sav dovrebbe essere consentito write accesso al rpmdb.sqlite-shm file per impostazione predefinita.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per ora eseguendo: # ausearch -c 'abrt-action-sav'--raw | audit2allow -M my-$MODULE_NOME # semodule -X 300 -i miei-abrtactionsav.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/rpm/rpmdb.sqlite-shm [ file ]
Source                        abrt-action-sav
Source Path                   abrt-action-sav
Port                          <Sconosciuto>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            <Sconosciuto>
Local Policy RPM              selinux-policy-targeted-3.14.6-11.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.7.0-0.rc0.git6.1.fc33.x86_64 #1
                              SMP Mon Apr 6 19:01:57 UTC 2020 x86_64 x86_64
Alert Count                   20
First Seen                    2020-04-10 17:32:21 CEST
Last Seen                     2020-04-13 18:26:27 CEST
Local ID                      e5ce50a8-d183-4303-8e12-18dfe8159e8c

Raw Audit Messages
type=AVC msg=audit(1586795187.608:7680): avc:  denied  { write } for  pid=3068 comm="abrt-action-sav" name="rpmdb.sqlite-shm" dev="dm-0" ino=658978 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: abrt-action-sav,abrt_t,var_lib_t,file,write


Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.7.0-0.rc0.git8.1.fc33.x86_64
type:           libreport

Potential duplicate: bug 1540366
Comment 1 Zdenek Pytela 2020-04-15 16:59:06 UTC 
Mattia,

Thank you for reporting the issue. I am switching the component to rpm.

Hey rpm folks,

I managed to reproduce the issue in this bugzilla following
https://fedoraproject.org/w/index.php?title=Changes/Sqlite_Rpmdb

and executing
  # rpmdb --rebuilddb --define "_db_backend sqlite"

The context of the database files is incorrect:

  # ls -Z /var/lib/rpm/rpmdb.sqlite*
unconfined_u:object_r:var_lib_t:s0 /var/lib/rpm/rpmdb.sqlite
unconfined_u:object_r:var_lib_t:s0 /var/lib/rpm/rpmdb.sqlite-shm
unconfined_u:object_r:var_lib_t:s0 /var/lib/rpm/rpmdb.sqlite-wal

How this command works internally, like does it create files or a new directory to be renamed?

There is an easy fix: run restorecon on the directory, but we can have it correct since the beginning, either fixed in the rpm or selinux-policy package.
Comment 2 Panu Matilainen 2020-04-16 05:54:46 UTC 
This happens with all rpmdb backends, and has been reported all along the way every now and then, closing as dupe of 1461313 which even contains a suggested fix.

Rpm creates a new directory and constructs a new database there and then switches it with the old.

*** This bug has been marked as a duplicate of bug 1461313 ***