Bug 722381

Summary: selinux policy does not allow squeezeboxserver to start
Product: Red Hat Enterprise Linux 6 Reporter: Marko Karg <mkarg>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-104.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:09:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Karg 2011-07-15 06:48:43 UTC 
Description of problem:

selinux policy does not allow the squeezeboxserver application to open the my.cnf configuration file for mysql

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.7.19-93.el6_1.2.noarch

How reproducible:

always
Steps to Reproduce:

1. Have a RHEL 6.1 running in enforced mode
2. Install the squeezeboxserver software from Logitech and try to start it.
  
Actual results:

selinux denial:

type=AVC msg=audit(1310711263.912:62001): avc:  denied  { getattr } for  pid=637 comm="mysqld" path="/var/lib/squeezeboxserver/cache/my.cnf" dev=dm-0 ino=395089 scontext=unconfined_u:system_r:mysqld_t:s0 t
context=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1310711263.912:62001): arch=c000003e syscall=4 success=no exit=-13 a0=7fffd9390090 a1=7fffd938cff0 a2=7fffd938cff0 a3=fffffffffffffffd items=0 ppid=635 pid=637 auid=0 uid=498 gid=496
 euid=498 suid=498 fsuid=498 egid=496 sgid=496 fsgid=496 tty=(none) ses=136 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)

Expected results:

Either the policy should allow the opening of my.cnf or at least allow to chcon of the necessary files, but that's also forbidden :(
Additional info:
Comment 2 Miroslav Grepl 2011-07-15 10:47:17 UTC 
chcon -R -t mysqld_db_t /var/lib/squeezeboxserver

should fix.

What does

rpm -qf /var/lib/squeezeboxserver
Comment 3 Marko Karg 2011-07-15 10:56:16 UTC 
[root@colossus ~]# chcon -R -t mysql_db_t /var/lib/squeezeboxserver/
[root@colossus ~]# rpm -qf /var/lib/squeezeboxserver/
squeezeboxserver-7.5.5-1.noarch
[root@colossus ~]# service squeezeboxserver stop
Stopping Squeezebox Server:                                [  OK  ]
[root@colossus ~]# setenforce 1
[root@colossus ~]# service squeezeboxserver start
Starting Squeezebox Server: [11-07-15 12:51:41.0877] main::init (326) Starting Squeezebox Server (v7.5.5, r32671, Mon Jul 11 12:56:10 MDT 2011) perl 5.010001
                                                           [  OK  ]
[root@colossus ~]# Could not open required defaults file: /var/lib/squeezeboxserver/cache/my.cnf
Fatal error in defaults handling. Program aborted
110715 12:51:41 [Warning] Can't create test file /var/lib/mysql/colossus.lower-test
110715 12:51:41 [Warning] Can't create test file /var/lib/mysql/colossus.lower-test
/usr/libexec/mysqld: Table 'mysql.plugin' doesn't exist
110715 12:51:41 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
110715 12:51:41  InnoDB: Operating system error number 13 in a file operation.
InnoDB: The error means mysqld does not have the access rights to
InnoDB: the directory.
InnoDB: File name ./ibdata1
InnoDB: File operation call: 'create'.
InnoDB: Cannot continue operation.

type=AVC msg=audit(1310727101.513:41513): avc:  denied  { search } for  pid=11889 comm="mysqld" name="squeezeboxserver" dev=dm-0 ino=394590 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1310727101.513:41513): arch=c000003e syscall=4 success=no exit=-13 a0=7fff4137ee90 a1=7fff4137bdf0 a2=7fff4137bdf0 a3=fffffffffffffffd items=0 ppid=11887 pid=11889 auid=0 uid=498 gid=496 euid=498 suid=498 fsuid=498 egid=496 sgid=496 fsgid=496 tty=(none) ses=18 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1310727131.949:41514): avc:  denied  { search } for  pid=11940 comm="mysqld" name="squeezeboxserver" dev=dm-0 ino=394590 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1310727131.949:41514): arch=c000003e syscall=4 success=no exit=-13 a0=7fff72b25d30 a1=7fff72b22c90 a2=7fff72b22c90 a3=fffffffffffffffd items=0 ppid=11887 pid=11940 auid=0 uid=498 gid=496 euid=498 suid=498 fsuid=498 egid=496 sgid=496 fsgid=496 tty=(none) ses=18 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)
Comment 4 Miroslav Grepl 2011-07-15 11:28:47 UTC 
Typo, I meant

chcon -R -t mysqld_db_t /var/lib/squeezeboxserver/
Comment 5 Marko Karg 2011-07-15 11:39:19 UTC 
ah, could have figured out myself :)

That did the trick, but what about the policy, what will happen when the system gets relabeled?
Comment 6 Marko Karg 2011-07-15 11:39:35 UTC 
Not to forget: Thanks!
Comment 7 Miroslav Grepl 2011-07-15 14:06:40 UTC 
Because of 

rpm -qf /var/lib/squeezeboxserver/
squeezeboxserver-7.5.5-1.noarch


we can add this label to the default policy.
Comment 8 Miroslav Grepl 2011-07-20 10:10:43 UTC 
Fixed in selinux-policy-3.7.19-104.el6
Comment 11 errata-xmlrpc 2011-12-06 10:09:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html