Bug 663584

Summary:	SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown.
Product:	[Fedora] Fedora	Reporter:	Matthias Runge <mrunge>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED INSUFFICIENT_DATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	14	CC:	dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:988f2769f147f8f333af2617030283a86ea4d38f2e2a5a7175aa8b47a26f5ef2
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	663623 (view as bug list)		Environment:
Last Closed:	2011-05-26 20:26:49 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	663623

Description Matthias Runge 2010-12-16 09:47:46 UTC

SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mysql_indexes should be allowed unix_read unix_write access on the Unknown sem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:services_munin_plugin_t:s0
Target Context                unconfined_u:system_r:services_munin_plugin_t:s0
Target Objects                Unknown [ sem ]
Source                        mysql_indexes
Source Path                   mysql_indexes
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41
                              UTC 2010 x86_64 x86_64
Alert Count                   28
First Seen                    Thu 16 Dec 2010 10:40:05 CET
Last Seen                     Thu 16 Dec 2010 10:45:06 CET
Local ID                      b91c66b9-7afb-4de8-a0ce-f98011fcb75c

Raw Audit Messages
type=AVC msg=audit(1292492706.386:45854): avc:  denied  { unix_read unix_write } for  pid=9317 comm="mysql_tmp_table" key=1667461225  scontext=unconfined_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:system_r:services_munin_plugin_t:s0 tclass=sem

mysql_indexes,services_munin_plugin_t,services_munin_plugin_t,sem,unix_read,unix_write

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t self:sem { unix_read unix_write };


Sadly, the proposed solution:

You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

does not fix the issue.

Comment 1 Matthias Runge 2010-12-16 10:04:05 UTC

The solution was proposed from new setroubleshoot-applet.

grep mysql_indexes /var/log/audit.... is empty. 

(the bug is: setroubleshoot applet suggests a solution, which does not fix the issue)

Comment 2 Miroslav Grepl 2010-12-16 12:40:24 UTC

Matthias, 
could you execute

# semanage permissive -a services_munin_plugin_t

and see if you get other avc messsages.

Comment 3 Daniel Walsh 2010-12-16 14:26:53 UTC

Mattieas, can you see if your audit.log rolled.

# grep mysql_indexes /var/log/audit/audit.log* | audit2allow -M mypol

Comment 4 Matthias Runge 2010-12-16 14:41:25 UTC

(In reply to comment #2)
> Matthias, 
> could you execute
> 
> # semanage permissive -a services_munin_plugin_t
> 
> and see if you get other avc messsages.

After executing semanage..
SELinux is preventing /usr/bin/perl from 'read, write' accesses on the semaphore Unknown.

Plugin: catchall 
you want to allow perl to have read write access on the Unknown semIf you believe that perl should be allowed read write access on the Unknown sem by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 5 Matthias Runge 2010-12-16 14:51:08 UTC

I'll do now the grep Daniel suggested. 

audit.log get's those entries:

mypol.te:

module mypol 1.0;

require {
        type unconfined_t;
        type services_munin_plugin_t;
        type user_tmpfs_t;
        type tmpfs_t;
        class sem { write associate read create unix_read unix_write };
        class shm { unix_read associate read write getattr unix_write };
        class file { read write };
}

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t self:sem { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t self:sem { unix_read create unix_write associate };
allow services_munin_plugin_t self:shm { write unix_read getattr unix_write associate read };
allow services_munin_plugin_t tmpfs_t:file { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t user_tmpfs_t:file { read write };



Executing 
# grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te

results in this error :-/

[root@mrungexp ~]# rpm -q policycoreutils-python
policycoreutils-python-2.0.83-33.5.fc14.x86_64

Comment 6 Miroslav Grepl 2010-12-16 15:36:21 UTC

Matthias,
do you know which mysql munin plugin causes these AVC?


I am trying to build this policy using

# make -f /usr/share/selinux/devel/Makefile

and works fine. 

# cat mypol.te
module mypol 1.0;

require {
        type unconfined_t;
        type services_munin_plugin_t;
        type user_tmpfs_t;
        type tmpfs_t;
        class sem { write associate read create unix_read unix_write };
        class shm { unix_read associate read write getattr unix_write };
        class file { read write };
}

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t self:sem { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t self:sem { unix_read create unix_write associate
};
allow services_munin_plugin_t self:shm { write unix_read getattr unix_write
associate read };
allow services_munin_plugin_t tmpfs_t:file { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:sem { unix_read read write
unix_write associate };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr
unix_write associate read };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t user_tmpfs_t:file { read write };




# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp