| Summary: | SELinux is preventing /usr/bin/ccache from 'unlink' accesses on the lnk_file stats.lock. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:00508b7baaa601ce240189624f0d81ab29ae49ae07bf15cd1f803bb55228f199 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-10 08:32:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
from the report, clearly I was running mock at the time. I don't do anything very complicated with it, just rebuild SRPMS. The target would have been fedora-rawhide-x86_64 . actually i have a whole ton of alerts from this time which may be the result of using mock with selinux in permissive mode? Not sure. Adam can you run them all through audit2allow ausearch -m avc -ts recent | audit2allow i, er, deleted 'em. =) i'll run mock again and see if they come back. Well we should at least add manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t) |
SELinux is preventing /usr/bin/ccache from 'unlink' accesses on the lnk_file stats.lock. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ccache should be allowed unlink access on the stats.lock lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ccache /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mock_t:s0 Target Context unconfined_u:object_r:mock_cache_t:s0 Target Objects stats.lock [ lnk_file ] Source ccache Source Path /usr/bin/ccache Port <Unknown> Host (removed) Source RPM Packages ccache-3.1.4-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.13-4.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.37-2.fc15.x86_64 #1 SMP Fri Jan 7 14:57:36 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sun 23 Jan 2011 05:46:26 PM PST Last Seen Sun 23 Jan 2011 05:46:26 PM PST Local ID 02f92b9e-4d51-4a12-a676-6d42cd25a66d Raw Audit Messages type=AVC msg=audit(1295833586.871:1102): avc: denied { unlink } for pid=12200 comm="ccache" name="stats.lock" dev=dm-0 ino=789816 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:mock_cache_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1295833586.871:1102): arch=x86_64 syscall=unlink success=yes exit=0 a0=d6a330 a1=d6a330 a2=7fff9cae883f a3=7fff9cae85d0 items=0 ppid=4947 pid=12200 auid=501 uid=501 gid=486 euid=501 suid=501 fsuid=501 egid=486 sgid=486 fsgid=486 tty=pts1 ses=1 comm=ccache exe=/usr/bin/ccache subj=unconfined_u:unconfined_r:mock_t:s0 key=(null) Hash: ccache,mock_t,mock_cache_t,lnk_file,unlink audit2allow #============= mock_t ============== allow mock_t mock_cache_t:lnk_file unlink; audit2allow -R #============= mock_t ============== allow mock_t mock_cache_t:lnk_file unlink;