Bug 864931

Summary: SELinux is preventing firewalld from 'getattr' accesses on the directory /var/lib/rpm.
Product: [Fedora] Fedora Reporter: Ernesto <equistango>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, jpopelka, mgrepl, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:3862bf8d7a87bc2c38ea5481de415bc6445a217fd046c255a8c1706a232e324b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 15:36:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Ernesto 2012-10-10 12:25:03 UTC 
Additional info:
libreport version: 2.0.15
kernel:         3.6.1-1.fc18.x86_64

description:
:SELinux is preventing firewalld from 'getattr' accesses on the directory /var/lib/rpm.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If cree que de manera predeterminada, firewalld debería permitir acceso getattr sobre  rpm directory.     
:Then debería reportar esto como un error.
:Puede generar un módulo de política local para permitir este acceso.
:Do
:permita el acceso momentáneamente executando:
:# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:firewalld_t:s0
:Target Context                system_u:object_r:rpm_var_lib_t:s0
:Target Objects                /var/lib/rpm [ dir ]
:Source                        firewalld
:Source Path                   firewalld
:Port                          <Desconocido>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc18.x86_64 #1 SMP Mon Oct
:                              8 17:19:09 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    2012-10-06 12:23:00 ART
:Last Seen                     2012-10-10 05:59:31 ART
:Local ID                      b5d4a0fa-36e0-43f2-9e1c-676c18129309
:
:Raw Audit Messages
:type=AVC msg=audit(1349859571.821:14): avc:  denied  { getattr } for  pid=620 comm="firewalld" path="/var/lib/rpm" dev="sda2" ino=1704188 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
:
:
:Hash: firewalld,firewalld_t,rpm_var_lib_t,dir,getattr
:
:audit2allow
:
:#============= firewalld_t ==============
:allow firewalld_t rpm_var_lib_t:dir getattr;
:
:audit2allow -R
:
:#============= firewalld_t ==============
:allow firewalld_t rpm_var_lib_t:dir getattr;
:
Comment 1 Ernesto 2012-10-10 12:25:07 UTC 
Created attachment 624837 [details]
File: type
Comment 2 Ernesto 2012-10-10 12:25:10 UTC 
Created attachment 624838 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-10-10 12:44:37 UTC 
Does firewalld do anything with rpm?
Comment 4 Thomas Woerner 2012-10-10 12:51:11 UTC 
No, besides providing rpm packages, there is no rpm use in firewalld.
Comment 5 Daniel Walsh 2012-10-10 13:08:04 UTC 
Ernesto do you have a file system mounted at /var/lib/rpm?

Did this AVC happen during an update?
Comment 6 Ernesto 2012-10-10 15:26:58 UTC 
Daniel, /var/lib/rpm is not a mountpoint (I hope that's what you are asking). It's inside my only EXT4 partition (/).
Yes, this was during a "yum update" from a terminal (I have uninstalled some time ago the graphical update notification thing, don't know if that's important).
Comment 7 Daniel Walsh 2012-10-10 18:49:42 UTC 
Ok most likely this is a leak or something happening because the process was sitting in /var/lib/rpm when it got restarted.  I think I will just dontaudit this access in the future to prevent these random AVCs.
Comment 8 Daniel Walsh 2012-10-10 18:52:51 UTC 
Fixed in selinux-policy-3.11.1-36.fc18.noarch
Comment 9 Fedora Update System 2012-10-11 09:05:08 UTC 
selinux-policy-3.11.1-36.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-36.fc18
Comment 10 Fedora Update System 2012-10-11 17:23:43 UTC 
Package selinux-policy-3.11.1-36.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-36.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15934/selinux-policy-3.11.1-36.fc18
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-12-20 15:36:04 UTC 
selinux-policy-3.11.1-36.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.