Bug 884370
Summary: | SELinux is preventing /usr/bin/rrdtool from 'setattr' accesses on the directory /var/cache/fontconfig. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ken Dreyer <ktdreyer> |
Component: | selinux-policy | Assignee: | Eric Paris <eparis> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | d.busby, dominick.grift, dwalsh, dyocum, gansalmon, itamar, jforbes, jonathan, kernel-maint, komusubi, lvrabec, madhu.chinakonda, mgrepl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:361651a1769b5ae89ce9e9bcd632eec02d581331f087a9e701c4b274397c00cb | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-26 14:27:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ken Dreyer
2012-12-06 04:33:37 UTC
Er, and when I say "Cacti from EPEL", I meant "Cacti from Rawhide". Hopefully you get the idea :) Settattr check should happen for DAC before it happens for SELinux. Then this AVC would not happen. Forces us to write bad policy. This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 Is this still a problem with 3.9 based F19 kernels? This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 2 weeks. If you are still experiencing this issue, please reopen and attach the relevant data from the latest kernel you are running and any data that might have been requested previously. Affects: CentOS release 6.5 (Final) Installed versions: cacti-0.8.8b-3.el6.noarch selinux-policy-3.7.19-231.el6_5.1.noarch selinux-policy-minimum-3.7.19-231.el6_5.1.noarch selinux-policy-targeted-3.7.19-231.el6_5.1.noarch selinux-policy-mls-3.7.19-231.el6_5.1.noarch SEStatus: --- SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted --- Audit.log --- type=AVC msg=audit(1395841586.356:6315): avc: denied { setattr } for pid=20032 comm="rrdtool" name="fontconfig" dev=dm-0 ino=3670514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir --- Workaround .te file (allows RRD to setattr on dir; note this does not allow DAC override). --- module rrdtool-setattr-fontcache 1.0; require { type httpd_t; type fonts_cache_t; class dir setattr; } #============= httpd_t ============== allow httpd_t fonts_cache_t:dir setattr; --- Please report that to CentOS then. Fedora bugzilla reports aren't going to get anything fixed in CentOS. I can confirm that this bug exists in RHEL6.6 with rrdtool: type=AVC msg=audit(1431098356.232:484315): avc: denied { setattr } for pid=19745 comm="rrdtool" name="fontconfig" dev=sda5 ino=263339 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir rrdtool-1.3.8-7.el6.x86_64 selinux-policy-3.7.19-260.el6_6.2.noarch selinux-policy-targeted-3.7.19-260.el6_6.2.noarch Please re-open this ticket. |