Bug 590234

Summary: mrepo avc failure
Product: [Fedora] Fedora Reporter: Need Real Name <lsof>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, lsof, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-11 17:44:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 590233    
Bug Blocks:    

Description Need Real Name 2010-05-08 09:01:01 UTC 
There is a bug in the mrepo init script that prevents it from working. See bug 

You need to comment out the first line in the start() function:

start() {
#    [ -x $exec ] || exit 5

Once that works, mrepo fails to start in enforcing mode. The following avc is given:

type=AVC msg=audit(1273309126.732:319): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.732:319): arch=c000003e syscall=4 success=no exit=-13 a0=7fffee7b692c a1=7fffee7b45f0 a2=7fffee7b45f0 a3=7fffee7b4370 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1273309126.732:320): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.732:320): arch=c000003e syscall=89 success=no exit=-13 a0=7fffee7b2550 a1=7fffee7b3560 a2=1000 a3=7fffee7b22b0 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1273309126.733:321): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.733:321): arch=c000003e syscall=2 success=no exit=-13 a0=7f2d2af41880 a1=0 a2=7f2d2a365538 a3=7fffee7b3eb0 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)

-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/mrepo
Comment 1 Daniel Walsh 2010-05-10 18:04:44 UTC 
Do you have a symbolic link in /var/ that mount is trying to read?
Comment 2 Need Real Name 2010-05-11 16:58:33 UTC 
Ah. Yes. Forgot about that.

mrepo -> /var/lib/libvirt/boot/

All isos in one place.
Comment 3 Daniel Walsh 2010-05-11 17:44:30 UTC 
You can add the rule using audit2allow.

# grep var /var/log/audit/audit.log | audit2allow -M mymrepo
# semodule -i mymrepo.pp