Bug 585717

Summary: SELinux is preventing /usr/bin/updatedb "getattr" access to /var/lib/qpidd.
Product: Red Hat Enterprise Linux 6 Reporter: Joshua Kramer <jkramer>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-29 12:25:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joshua Kramer 2010-04-25 18:42:43 UTC 
Description of problem:

If you leave the server running long enough with SETroubleshoot running, you get a message in SETroubleshoot:

Summary:

SELinux is preventing /usr/bin/updatedb "getattr" access to /var/lib/qpidd.

Detailed Description:

[updatedb has a permissive type (locate_t). This access was not denied.]

SELinux denied access requested by updatedb. /var/lib/qpidd may be a mislabeled.
/var/lib/qpidd default SELinux type is var_lib_t, but its current type is
unlabeled_t. Changing this file back to the default type, may fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creating a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or
    restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/var/lib/qpidd', if this file is a directory,
you can recursively restore using restorecon -R '/var/lib/qpidd'.

Fix Command:

/sbin/restorecon '/var/lib/qpidd'

Additional Information:

Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /var/lib/qpidd [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          RHEL6-64
Source RPM Packages           mlocate-0.22.2-2.el6
Target RPM Packages           qpid-cpp-server-0.6.895736-3.el6
Policy RPM                    selinux-policy-3.7.17-5.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restorecon
Host Name                     RHEL6-64
Platform                      Linux RHEL6-64 2.6.32-19.el6.x86_64 #1 SMP Tue Mar
                              9 17:48:46 EST 2010 x86_64 x86_64
Alert Count                   0
First Seen                    Sun 25 Apr 2010 02:06:17 PM EDT
Last Seen                     Sun 25 Apr 2010 02:06:17 PM EDT
Local ID                      741aed1d-2cd1-4b32-9d77-8d0c74212b02
Line Numbers                  

Raw Audit Messages            

node=RHEL6-64 type=AVC msg=audit(1272218777.527:90): avc:  denied  { getattr } for  pid=4012 comm="updatedb" path="/var/lib/qpidd" dev=dm-0 ino=140736 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

node=RHEL6-64 type=SYSCALL msg=audit(1272218777.527:90): arch=c000003e syscall=6 success=yes exit=4294967424 a0=ae4e39 a1=7fff692e9100 a2=7fff692e9100 a3=3759c7e7b0 items=0 ppid=4006 pid=4012 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
Comment 2 RHEL Program Management 2010-04-25 20:19:28 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 Kim van der Riet 2010-04-28 19:47:55 UTC 
A new install of qpid-cpp-server (0.7.935473-1.el6) on a fresh RHEL-6 (RHEL6.0-20100428.n.0_nfs-Server) shows that the /var/lib/qpidd dir has the following properties:

[root@mrg10 ~]# history
    1  history
[root@mrg10 ~]# yum install qpid-cpp-server
...
Complete!
[root@mrg10 ~]# service qpidd start
Starting Qpid AMQP daemon:                                 [  OK  ]
[root@mrg10 ~]# ls -Z /var/lib
...
drwxr-xr-x. qpidd   qpidd   system_u:object_r:qpidd_var_lib_t:s0 qpidd
...

I am uncertain of how the condition described above arose. Is it possible that this was run prior to the recent updates to the base policy for qpidd?
Comment 4 Daniel Walsh 2010-04-29 12:25:36 UTC 
unlabeled_t means the directory has a label on it that the kernel does not understand.  Perhaps you installed a bad policy from a previous version of RHEL6 that the current policy does not understand.  You can run fixfiles restore to make sure the system is totally labeled the way SELinux expects.  If this happens again reopen the bug.