| Summary: | SELinux is preventing /usr/bin/updatedb from 'getattr' accesses on the directory /var/run/qpidd. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dmitri Pal <dpal> |
| Component: | qpid-cpp | Assignee: | Nuno Santos <nsantos> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 14 | CC: | aortega, browning48ky, don_bower, dtdraganov, dwalsh, fybanez, jiandingzhe, mgrepl, nsantos, robert.l.kief, sergeygraf.rus, viabsb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:a00c2080cd7e3cacb65d5fb9d1bbf74c50152995a07652cc9ad817181f943ea3 | ||
| Fixed In Version: | qpid-cpp-0.8-4.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-16 22:27:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Why is qpidd shipping a policy? selinux-policy is shipping a policy with the same name. qpidd removing the policy is causing the labels to be removed. dmitri the way to fix this is to execute # semodule -i /usr/share/selinux/targeted/qpidd.pp.tgz Fixed at qpid-cpp-0.8-4.fc15, see http://koji.fedoraproject.org/koji/buildinfo?buildID=217467 This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping *** Bug 876215 has been marked as a duplicate of this bug. *** |
I am not sure it is a bug. Saw an alert and decided to submit it for evaluation. ====================================== SELinux is preventing /usr/bin/updatedb from 'getattr' accesses on the directory /var/run/qpidd. ***** Plugin restorecon (94.8 confidence) suggests ************************* If you want to fix the label. /var/run/qpidd default label should be var_lib_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/run/qpidd ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow updatedb to have getattr access on the qpidd directory Then you need to change the label on /var/run/qpidd Do # semanage fcontext -a -t FILE_TYPE '/var/run/qpidd' where FILE_TYPE is one of the following: abrt_var_run_t, sysctl_crypto_t, samba_var_t, locate_var_lib_t, avahi_var_run_t, setrans_var_run_t, net_conf_t, inotifyfs_t, dirsrv_var_run_t, anon_inodefs_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, nscd_var_run_t, nslcd_var_run_t, root_t, slapd_var_run_t, sssd_var_lib_t, tmp_t, usr_t, var_t, file_type, device_t, etc_t, proc_t, textrel_shlib_t, bin_t, cert_t, rpm_script_tmp_t, usr_t, var_t, security_t, winbind_var_run_t, noxattrfs, filesystem_type, device_t, sssd_public_t, locale_t, locate_t, default_t, etc_t, proc_t, rpm_tmp_t, likewise_var_lib_t, var_run_t, krb5_conf_t, rpm_log_t, var_log_t, var_lib_t, var_run_t, nscd_var_run_t, pcscd_var_run_t, var_t, var_t, var_run_t, var_run_t. Then execute: restorecon -v '/var/run/qpidd' ***** Plugin catchall (1.44 confidence) suggests *************************** If you believe that updatedb should be allowed getattr access on the qpidd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep updatedb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /var/run/qpidd [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host (removed) Source RPM Packages mlocate-0.23.1-1.fc14.1 Target RPM Packages qpid-cpp-server-0.7.946106-3.fc14 Policy RPM selinux-policy-3.9.7-19.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-72.fc14.i686.PAE #1 SMP Mon Dec 20 21:47:25 UTC 2010 i686 i686 Alert Count 2 First Seen Fri 21 Jan 2011 01:27:13 PM EST Last Seen Fri 21 Jan 2011 01:27:13 PM EST Local ID 69f2f935-c492-4a03-bf11-2ace3145e750 Raw Audit Messages type=AVC msg=audit(1295634433.997:645): avc: denied { getattr } for pid=29889 comm="updatedb" path="/var/run/qpidd" dev=dm-0 ino=1190637 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir updatedb,locate_t,unlabeled_t,dir,getattr type=SYSCALL msg=audit(1295634433.997:645): arch=i386 syscall=lstat64 success=no exit=EACCES a0=8f15899 a1=bfe22260 a2=c2cff4 a3=0 items=0 ppid=29883 pid=29889 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=74 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) updatedb,locate_t,unlabeled_t,dir,getattr #============= locate_t ============== allow locate_t unlabeled_t:dir getattr;