Bug 663584
Summary: | SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown. | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matthias Runge <mrunge> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | low | |||
Version: | 14 | CC: | dwalsh, mgrepl | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | setroubleshoot_trace_hash:988f2769f147f8f333af2617030283a86ea4d38f2e2a5a7175aa8b47a26f5ef2 | |||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 663623 (view as bug list) | Environment: | ||
Last Closed: | 2011-05-26 20:26:49 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 663623 |
Description
Matthias Runge
2010-12-16 09:47:46 UTC
The solution was proposed from new setroubleshoot-applet. grep mysql_indexes /var/log/audit.... is empty. (the bug is: setroubleshoot applet suggests a solution, which does not fix the issue) Matthias, could you execute # semanage permissive -a services_munin_plugin_t and see if you get other avc messsages. Mattieas, can you see if your audit.log rolled. # grep mysql_indexes /var/log/audit/audit.log* | audit2allow -M mypol (In reply to comment #2) > Matthias, > could you execute > > # semanage permissive -a services_munin_plugin_t > > and see if you get other avc messsages. After executing semanage.. SELinux is preventing /usr/bin/perl from 'read, write' accesses on the semaphore Unknown. Plugin: catchall you want to allow perl to have read write access on the Unknown semIf you believe that perl should be allowed read write access on the Unknown sem by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp I'll do now the grep Daniel suggested. audit.log get's those entries: mypol.te: module mypol 1.0; require { type unconfined_t; type services_munin_plugin_t; type user_tmpfs_t; type tmpfs_t; class sem { write associate read create unix_read unix_write }; class shm { unix_read associate read write getattr unix_write }; class file { read write }; } #============= services_munin_plugin_t ============== allow services_munin_plugin_t self:sem { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t self:sem { unix_read create unix_write associate }; allow services_munin_plugin_t self:shm { write unix_read getattr unix_write associate read }; allow services_munin_plugin_t tmpfs_t:file { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t user_tmpfs_t:file { read write }; Executing # grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te results in this error :-/ [root@mrungexp ~]# rpm -q policycoreutils-python policycoreutils-python-2.0.83-33.5.fc14.x86_64 Matthias, do you know which mysql munin plugin causes these AVC? I am trying to build this policy using # make -f /usr/share/selinux/devel/Makefile and works fine. # cat mypol.te module mypol 1.0; require { type unconfined_t; type services_munin_plugin_t; type user_tmpfs_t; type tmpfs_t; class sem { write associate read create unix_read unix_write }; class shm { unix_read associate read write getattr unix_write }; class file { read write }; } #============= services_munin_plugin_t ============== allow services_munin_plugin_t self:sem { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t self:sem { unix_read create unix_write associate }; allow services_munin_plugin_t self:shm { write unix_read getattr unix_write associate read }; allow services_munin_plugin_t tmpfs_t:file { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t user_tmpfs_t:file { read write }; # make -f /usr/share/selinux/devel/Makefile # semodule -i mypol.pp |