Bug 722579

Summary: SELinux prevents ricci from installing RPMs.
Product: Red Hat Enterprise Linux 5 Reporter: Brandon Perkins <bperkins>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.7CC: cluster-maint, dwalsh, jpokorny, ksrot, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-318.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 746351 (view as bug list) Environment:
Last Closed: 2012-02-21 05:47:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brandon Perkins 2011-07-15 17:38:17 UTC 
Description of problem:
SELinux prevents ricci from installing RPMs.

Version-Release number of selected component (if applicable):
ricci-0.12.2-32.el5

How reproducible:
Always.

Steps to Reproduce:
1. Setup luci.
2. Install ricci and start it.
3. Add system to luci and tell it to install packages.
  
Actual results:
Luci gets stuck with "Node still being created" on the install step.

Expected results:
RPMs are installed.

Additional info:

Summary:

SELinux is preventing ricci-modrpm (ricci_modrpm_t) "create" to <Unknown>
(ricci_modrpm_t).

Detailed Description:

SELinux denied access requested by ricci-modrpm. It is not expected that this
access is required by ricci-modrpm and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:ricci_modrpm_t
Target Context                system_u:system_r:ricci_modrpm_t
Target Objects                None [ unix_dgram_socket ]
Source                        ricci-modrpm
Source Path                   /usr/libexec/ricci-modrpm
Port                          <Unknown>
Host                          rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.co
                              m
Source RPM Packages           ricci-0.12.2-32.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-316.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.co
                              m
Platform                      Linux rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.red
                              hat.com 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59
                              EDT 2011 x86_64 x86_64
Alert Count                   4
First Seen                    Fri Jul 15 12:57:52 2011
Last Seen                     Fri Jul 15 12:57:53 2011
Local ID                      b4848e92-8759-4886-aae8-5871c4ddafb8
Line Numbers                  

Raw Audit Messages            

host=rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.com type=AVC msg=audit(1310749073.49:144): avc:  denied  { create } for  pid=5490 comm="ricci-modrpm" scontext=system_u:system_r:ricci_modrpm_t:s0 tcontext=system_u:system_r:ricci_modrpm_t:s0 tclass=unix_dgram_socket

host=rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.com type=SYSCALL msg=audit(1310749073.49:144): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7db items=0 ppid=5488 pid=5490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci-modrpm" exe="/usr/libexec/ricci-modrpm" subj=system_u:system_r:ricci_modrpm_t:s0 key=(null)
Comment 2 Miroslav Grepl 2011-09-29 11:28:59 UTC 
Fixed in selinux-policy-2.4.6-317.el5
Comment 4 Brandon Perkins 2011-10-04 17:32:11 UTC 
The issue described in the original description appears to be fixed (using selinux-policy-2.4.6-317.el5 and ricci-0.12.2-33.el5).  However, that then exposes the next issue.  While not related to the original installation of RPMs, which is in fact working now, it appears ricci is unable to start the daemons for a similar reason.  I am happy to open this as a new bug if that's preferred.





Summary:

SELinux is preventing ricci-modservic (ricci_modservice_t) "create" to <Unknown>
(ricci_modservice_t).

Detailed Description:

SELinux denied access requested by ricci-modservic. It is not expected that this
access is required by ricci-modservic and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:ricci_modservice_t
Target Context                system_u:system_r:ricci_modservice_t
Target Objects                None [ unix_dgram_socket ]
Source                        ricci-modservic
Source Path                   /usr/libexec/ricci-modservice
Port                          <Unknown>
Host                          bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
Source RPM Packages           ricci-0.12.2-33.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-317.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
Platform                      Linux
                              bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
                              2.6.18-274.3.1.el5 #1 SMP Fri Aug 26 18:49:02 EDT
                              2011 x86_64 x86_64
Alert Count                   4
First Seen                    Tue Oct  4 13:26:46 2011
Last Seen                     Tue Oct  4 13:26:46 2011
Local ID                      932f9ada-a4cc-4ca7-8149-02ce9f8b91ce
Line Numbers                  

Raw Audit Messages            

host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=AVC msg=audit(1317749206.35:39): avc:  denied  { create } for  pid=19400 comm="ricci-modservic" scontext=system_u:system_r:ricci_modservice_t:s0 tcontext=system_u:system_r:ricci_modservice_t:s0 tclass=unix_dgram_socket

host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=SYSCALL msg=audit(1317749206.35:39): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7db items=0 ppid=19398 pid=19400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci-modservic" exe="/usr/libexec/ricci-modservice" subj=system_u:system_r:ricci_modservice_t:s0 key=(null)
Comment 5 Miroslav Grepl 2011-10-05 05:05:21 UTC 
Ok, this is a different AVC msg.
Comment 6 Jan Pokorný [poki] 2011-10-14 21:28:14 UTC 
SELinux prevents ricci from starting/stopping services -> cloned bug 746351
Comment 9 Miroslav Grepl 2011-10-20 14:37:42 UTC 
Fixed in selinux-policy-2.4.6-318.el5
Comment 13 errata-xmlrpc 2012-02-21 05:47:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html