Bug 888245

Summary: SELinux is preventing /usr/bin/updatedb from 'search' accesses on the directory /var/cache/jockey.
Product: [Fedora] Fedora Reporter: bm_boris
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:ad37312f08d64ba2c2c1ff2f0f7d7e9b1814ce8060b0fd88d59e3fc4a7b9eb20
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-04 10:24:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description bm_boris 2012-12-18 11:49:46 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.10-2.fc17.x86_64

description:
:SELinux is preventing /usr/bin/updatedb from 'search' accesses on the directory /var/cache/jockey.
:
:*****  Plugin restorecon (94.8 confidence) suggests  *************************
:
:If you want to fix the label. 
:/var/cache/jockey default label should be var_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /var/cache/jockey
:
:*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
:
:If you want to allow updatedb to have search access on the jockey directory
:Then you need to change the label on /var/cache/jockey
:Do
:# semanage fcontext -a -t FILE_TYPE '/var/cache/jockey'
:where FILE_TYPE is one of the following: locate_var_lib_t, var_run_t, file_type, abrt_var_run_t, sysctl_crypto_t, inotifyfs_t, var_lib_t, var_run_t, samba_var_t, anon_inodefs_t, samba_etc_t, avahi_var_run_t, nscd_var_run_t, nslcd_var_run_t, smbd_var_run_t, sssd_var_lib_t, net_conf_t, setrans_var_run_t, cfengine_var_lib_t, device_t, etc_t, sysctl_t, noxattrfs, abrt_t, bin_t, proc_t, sysfs_t, lib_t, mnt_t, filesystem_type, device_t, locale_t, locate_t, root_t, tmp_t, usr_t, var_t, etc_t, bin_t, proc_t, cpu_online_t, winbind_var_run_t, usr_t, cfengine_var_lib_t, tmp_t, var_t, etc_t, cert_t, var_t, textrel_shlib_t, sssd_public_t, rpm_script_tmp_t, security_t, likewise_var_lib_t, default_t, rpm_log_t, krb5_conf_t, var_log_t, var_run_t, abrt_var_run_t, var_run_t, var_run_t, nscd_var_run_t, pcscd_var_run_t, krb5_host_rcache_t, var_t, var_t. 
:Then execute: 
:restorecon -v '/var/cache/jockey'
:
:
:*****  Plugin catchall (1.44 confidence) suggests  ***************************
:
:If you believe that updatedb should be allowed search access on the jockey directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:unlabeled_t:s0
:Target Objects                /var/cache/jockey [ dir ]
:Source                        updatedb
:Source Path                   /usr/bin/updatedb
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           mlocate-0.25-1.fc17.x86_64
:Target RPM Packages           jockey-0.9.6-2.fc16.noarch
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue
:                              Dec 11 18:07:34 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-12-18 03:35:25 CST
:Last Seen                     2012-12-18 03:35:25 CST
:Local ID                      2c02297d-c503-41e2-b609-264f653bbc6b
:
:Raw Audit Messages
:type=AVC msg=audit(1355823325.335:106): avc:  denied  { search } for  pid=4130 comm="updatedb" name="jockey" dev="dm-2" ino=529147 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1355823325.335:106): arch=x86_64 syscall=chdir success=yes exit=0 a0=184c9c9 a1=184c9c9 a2=7fff99e1c4d0 a3=0 items=0 ppid=4124 pid=4130 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
:
:Hash: updatedb,locate_t,unlabeled_t,dir,search
:
:audit2allow
:
:#============= locate_t ==============
:allow locate_t unlabeled_t:dir search;
:
:audit2allow -R
:
:#============= locate_t ==============
:allow locate_t unlabeled_t:dir search;
:


Potential duplicate bug: 740194
Comment 1 bm_boris 2012-12-18 11:49:56 UTC 
Created attachment 665458 [details]
File: type
Comment 2 bm_boris 2012-12-18 11:50:01 UTC 
Created attachment 665459 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-12-18 12:21:45 UTC 
Could you try to reinstall the policy?

# yum reinstall selinux-policy-targeted
Comment 4 Miroslav Grepl 2012-12-18 12:21:58 UTC 
*** Bug 888246 has been marked as a duplicate of this bug. ***
Comment 5 Fedora End Of Life 2013-07-04 00:54:56 UTC 
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.