Bug 477743
| Summary: | memcached-selinux and audit denies (memcached works, but memcached-selinux doesn't) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Jarkko <jval> |
| Component: | memcached | Assignee: | Paul Lindner <lindner> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | el5 | CC: | lindner, mastahnke, matthias, ruben, tarkatronic |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ActualBug | ||
| Fixed In Version: | memcached-1.4.5-1.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-04-26 23:25:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I'm not an selinux expert here, and the patch for that was contributed. Can anyone help out? memcached-1.4.5-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5 # yum localupdate memcached-1.4.5-1.el5.i386.rpm
Setting up Local Package Process
Examining memcached-1.4.5-1.el5.i386.rpm: memcached-1.4.5-1.el5.i386
Marking memcached-1.4.5-1.el5.i386.rpm as an update to memcached-1.2.8-1.el5.i386
Resolving Dependencies
--> Running transaction check
--> Processing Dependency: memcached = 1.2.8-1.el5 for package: memcached-selinux
---> Package memcached.i386 0:1.4.5-1.el5 set to be updated
--> Processing Dependency: libevent-1.4.so.2 for package: memcached
--> Finished Dependency Resolution
memcached-selinux-1.2.8-1.el5.i386 from installed has depsolving problems
--> Missing Dependency: memcached = 1.2.8-1.el5 is needed by package memcached-selinux-1.2.8-1.el5.i386 (installed)
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386 has depsolving problems
--> Missing Dependency: libevent-1.4.so.2 is needed by package memcached-1.4.5-1.el5.i386 (/memcached-1.4.5-1.el5.i386)
Packages skipped because of dependency problems:
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386
# yum remove memcached-selinux
...
Removed:
memcached-selinux.i386 0:1.2.8-1.el5
# yum localupdate memcached-1.4.5-1.el5.i386.rpm
Setting up Local Package Process
Examining memcached-1.4.5-1.el5.i386.rpm: memcached-1.4.5-1.el5.i386
Marking memcached-1.4.5-1.el5.i386.rpm as an update to memcached-1.2.8-1.el5.i386
Resolving Dependencies
--> Running transaction check
---> Package memcached.i386 0:1.4.5-1.el5 set to be updated
--> Processing Dependency: libevent-1.4.so.2 for package: memcached
--> Finished Dependency Resolution
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386 has depsolving problems
--> Missing Dependency: libevent-1.4.so.2 is needed by package memcached-1.4.5-1.el5.i386 (/memcached-1.4.5-1.el5.i386)
Packages skipped because of dependency problems:
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386
EL5 has libevent-1.1a.so.1 but the package has been built against libevent-1.4.so.2 it seems...
we're rebuilding for EL-5.5 which has libevent 1.4, sadly there's no way to generate an RPM for EL-5.4 now... See the big long thread over at https://bugzilla.redhat.com/show_bug.cgi?id=563985 memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update memcached'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5 memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update memcached'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5 memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: memcached-selinux can't be used (memcached works when only the memcached package is installed as then there's no policy in use for memcached) because it causes three audit denies. Version-Release number of selected component (if applicable): memcached-selinux-1.2.5-2.el5 Actual results: "service memcached start" says OK, but actually fails as "service memcached status" reports "memcached dead but subsys locked". Expected results: memcached starting and working with the selinux policy package (memcached-selinux). Additional info --------------- Here are the denies: Dec 23 10:47:47 web kernel: audit(1230022067.059:11): avc: denied { create } for pid=9882 comm="memcached" scontext=root:system_r:memcached_t:s0 tcontext=root:system_r:memcached_t:s0 tclass=netlink_route_socket Dec 23 10:47:47 web kernel: audit(1230022067.063:12): avc: denied { create } for pid=9882 comm="memcached" scontext=root:system_r:memcached_t:s0 tcontext=root:system_r:memcached_t:s0 tclass=netlink_route_socket Dec 23 10:47:47 web kernel: audit(1230022067.063:13): avc: denied { name_bind } for pid=9882 comm="memcached" src=11211 scontext=root:system_r:memcached_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket And here's what audit2allow says about them: #============= memcached_t ============== allow memcached_t port_t:udp_socket name_bind; allow memcached_t self:netlink_route_socket create;