Bug 517251

Summary: setroubleshoot: SELinux is preventing icecc-scheduler (icecc_scheduler_t) "read write" var_log_t.
Product: [Fedora] Fedora Reporter: Caolan McNamara <caolanm>
Component: icecreamAssignee: Michal Schmidt <mschmidt>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, jkubin, mgrepl, mschmidt
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:6bfd35bc097281a4caf547d9a5699a070d48ae5865b053b6932eaab49d6ffc59
Fixed In Version: 0.9.4-4.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-09 01:50:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Caolan McNamara 2009-08-13 09:02:57 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing icecc-scheduler (icecc_scheduler_t) "read write"
var_log_t.

Detailed Description:

SELinux denied access requested by icecc-scheduler. It is not expected that this
access is required by icecc-scheduler and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:icecc_scheduler_t:SystemLow
Target Context                system_u:object_r:var_log_t:SystemLow
Target Objects                icecc-scheduler [ file ]
Source                        icecc-scheduler
Source Path                   /usr/sbin/icecc-scheduler
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           icecream-0.9.4-1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.29.3-155.fc11.x86_64 #1 SMP Wed May
                              20 17:43:16 EDT 2009 x86_64 x86_64
Alert Count                   7
First Seen                    Mon 20 Apr 2009 16:52:35 IST
Last Seen                     Tue 26 May 2009 17:06:33 IST
Local ID                      25adf24e-1a76-4f25-b57a-db5c45908c51
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1243353993.668:31590): avc:  denied  { read write } for  pid=3349 comm="icecc-scheduler" name="icecc-scheduler" dev=dm-0 ino=29622511 scontext=system_u:system_r:icecc_scheduler_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1243353993.668:31590): arch=c000003e syscall=21 success=no exit=-13 a0=1f18615 a1=6 a2=0 a3=8 items=0 ppid=3312 pid=3349 auid=4294967295 uid=493 gid=487 euid=493 suid=493 fsuid=493 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm="icecc-scheduler" exe="/usr/sbin/icecc-scheduler" subj=system_u:system_r:icecc_scheduler_t:s0 key=(null)


audit2allow suggests:

#============= icecc_scheduler_t ==============
allow icecc_scheduler_t var_log_t:file { read write };

Comment 1 Daniel Walsh 2009-08-13 14:59:00 UTC
Since this policy is not in the base selinux-policy package, it must be shipping with the package.

I have a failing this is a mislabled directory.

Comment 2 Michal Schmidt 2009-08-14 12:18:18 UTC
Yes, icecream ships its policy in the package. I need to resend the patch to the refpolicy mailing list to have it merged.

This is a real bug in my policy, not just a mislabelling. I'll fix it.

Comment 3 Fedora Update System 2009-08-15 22:08:58 UTC
icecream-0.9.4-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/icecream-0.9.4-3.fc11

Comment 4 Fedora Update System 2009-08-17 21:54:07 UTC
icecream-0.9.4-3.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update icecream'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8665

Comment 5 Fedora Update System 2009-08-19 23:15:08 UTC
icecream-0.9.4-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update icecream'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8665

Comment 6 Fedora Update System 2009-09-09 01:50:36 UTC
icecream-0.9.4-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.