Bug 975895
| Summary: | SELinux is preventing /usr/bin/mandb from 'remove_name' accesses on the directory #index.db#. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ray Holme <rayholme> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl, rayholme |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:27ef646972cc0c577592c060492a3e6d93282d4dd5b5eccef89b19ceab1005c9 | ||
| Fixed In Version: | selinux-policy-3.11.1-100.fc18 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-08-15 02:53:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Ray would you happen to know where this index.db is being created? My index.db files are in /var/cache/man which is labeled mandb_cache_t. restorecon -R -v /var/cache/man Should fix all labels under this dir. Ran restorecon as directed by Daniel (and as per the troubleshooter). however every time I boot again, I get about 5 trouble reports from mandb. I will just ignore them, but really these should not happen. And where is your index.db located? a find command finds tons of index.db(s) - I don't recall the exact location in the troubleshooter but will look at next boot mandb complains about this file, "#index.db#" (name like this) and 2-3 other files every time I boot. I will reboot and capture the information that I can without filing bug reports for each entry In any case, I never made an index.db for mandb (I did run catman if that helps) You can execute # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # systemctl restart auditd.service Then we get full path in AVC msgs. [root@rainbow ray]# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules [root@rainbow ray]# systemctl restart auditd.service Failed to issue method call: Operation refused, unit auditd.service may be requested by dependency only. NOT so good - but I will reboot and try to trace it then VERY SOONx OK after reboot, I get 4-5 troubleshooter reports - this time it was 4
All 4 from /usr/bin/mandb in the below order
attempted on file
setattr 29410
remove_name #index.db#
write /opt/local/share/man
write index.db
Only the third is fully qualified. I can see no trace of a file called 29410 with find.
I can stop watching these if it makes sense and just ignore them.
The only non-standard thing here is that /opt/local is now what /usr/local was; and the latter is now a link to /opt/local.
Ok, is index.db located directly in /opt/local/share/man? # ls -Z /opt/local/share/man/index.db YES, but I am not sure it is that one. Here is the one you wanted and a full list. Also I maintain several other fedora18 servers and they ALL have complaints in /var/log/messages about this and the other files I see mandb complain about at boot. ls -Z /opt/local/share/man/index.db; find / -name index.db 2> /dev/null -rw-r--r--. root root system_u:object_r:man_t:s0 /opt/local/share/man/index.db /var/cache/man/zh_CN/index.db /var/cache/man/zh_HK/index.db /var/cache/man/id/index.db /var/cache/man/ru/index.db /var/cache/man/ml/index.db /var/cache/man/ca/index.db /var/cache/man/sk/index.db /var/cache/man/bg/index.db /var/cache/man/he/index.db /var/cache/man/uk/index.db /var/cache/man/te/index.db /var/cache/man/ko/index.db /var/cache/man/kk/index.db /var/cache/man/ug/index.db /var/cache/man/en/index.db /var/cache/man/io/index.db /var/cache/man/ro/index.db /var/cache/man/da/index.db /var/cache/man/bn/index.db /var/cache/man/be/index.db /var/cache/man/bs/index.db /var/cache/man/gd/index.db /var/cache/man/el/index.db /var/cache/man/sl/index.db /var/cache/man/pl/index.db /var/cache/man/lt/index.db /var/cache/man/et/index.db /var/cache/man/fa/index.db /var/cache/man/fr/index.db /var/cache/man/uz/index.db /var/cache/man/it/index.db /var/cache/man/en_GB/index.db /var/cache/man/fi/index.db /var/cache/man/pt/index.db /var/cache/man/km/index.db /var/cache/man/th/index.db /var/cache/man/fy/index.db /var/cache/man/sq/index.db /var/cache/man/pa/index.db /var/cache/man/sr/index.db /var/cache/man/tr/index.db /var/cache/man/si/index.db /var/cache/man/nn/index.db /var/cache/man/eu/index.db /var/cache/man/ar/index.db /var/cache/man/vi/index.db /var/cache/man/fo/index.db /var/cache/man/ast/index.db /var/cache/man/hr/index.db /var/cache/man/oc/index.db /var/cache/man/ta/index.db /var/cache/man/nl/index.db /var/cache/man/ku/index.db /var/cache/man/sv/index.db /var/cache/man/en_AU/index.db /var/cache/man/shn/index.db /var/cache/man/ms/index.db /var/cache/man/eo/index.db /var/cache/man/pt_BR/index.db /var/cache/man/zh_TW/index.db /var/cache/man/de/index.db /var/cache/man/gl/index.db /var/cache/man/index.db /var/cache/man/cs/index.db /var/cache/man/bo/index.db /var/cache/man/hi/index.db /var/cache/man/lv/index.db /var/cache/man/ja/index.db /var/cache/man/hu/index.db /var/cache/man/es/index.db /var/cache/man/nb/index.db /var/cache/man/ca@valencia/index.db /var/cache/man/cy/index.db /var/cache/man/my/index.db /var/cache/man/ps/index.db /opt/local/share/man/index.db PS - thanks for "-Z" - I have always wondered how to see the new linux attributes for files - never sure why they were needed as I am an OLD Unix hacker, but I am sure there was good reason. 7777 was always as many attributes as I needed. :=] I just realized that the machine (my own) which I ran the "ls -Z" command on had been patched using the remedy suggested by the trouble shooter.
I ran the below on a machine which WAS NOT patched by troubleshooter suggestions.
find / -name index.db -exec ls -Z {} \; > /tmp/index_files 2> /dev/null
results:
-rw-r--r--. root root system_u:object_r:mandb_cache_t:s0 /var/cache/man/id/index
.db
-rw-r--r--. root root system_u:object_r:mandb_cache_t:s0 /var/cache/man/ja/index
.db
-rw-r--r--. root root system_u:object_r:mandb_cache_t:s0 /var/cache/man/ro/index
.db
... many more like this in /var/cache/man/... ; then this one
-rw-r--r--. root root system_u:object_r:usr_t:s0 /opt/local/share/man/inde
x.db
Fedora 19/20 has this labeled. matchpathcon /opt/local/share/man/index.db /opt/local/share/man/index.db system_u:object_r:man_t:s0 But should be mandb_cache_t to make this working. # restorecon -Rv /opt/local/share/man # chcon -t mandb_cache_t /opt/local/share/man/inde x.db OK, I will run the commands locally and all other machines that I have the priv. to do this on. But, this file and some others (all from mandb agent) should best be fixed in some future release. My goal was to make you all aware, you can close the bug or leave it open if you like. It has been switched to Modify. It means we have a fix. Thank you for your help. most welcome selinux-policy-3.11.1-99.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-99.fc18 Thanks and nice. Package selinux-policy-3.11.1-99.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-99.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14256/selinux-policy-3.11.1-99.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-100.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-100.fc18 I tried the yum command and got - will try again in a few more days
No Match for argument: selinux-policy-3.11.1-99.fc18
No package selinux-policy-3.11.1-99.fc18 available.
No Packages marked for Update
selinux-policy-3.11.1-100.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. No package selinux-policy-3.11.1-99.fc18 available. and then No package selinux-policy-3.11.1-100.fc18 available. will wait till it makes it to the world. Thanks There will be a problem with your mirrors. You can use builds from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=454829 |
Description of problem: I tried the semodule fix and it did not work. In any case, this is the syttem space not mine and it is therefore a selinux bug. SELinux is preventing /usr/bin/mandb from 'remove_name' accesses on the directory #index.db#. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mandb should be allowed remove_name access on the #index.db# directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mandb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:mandb_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:man_t:s0 Target Objects #index.db# [ dir ] Source mandb Source Path /usr/bin/mandb Port <Unknown> Host (removed) Source RPM Packages man-db-2.6.3-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.5-201.fc18.x86_64 #1 SMP Tue Jun 11 19:40:51 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-06-17 08:47:11 EDT Last Seen 2013-06-19 07:40:12 EDT Local ID 6a5e05de-76a6-47ac-86b2-f5f8d068a43c Raw Audit Messages type=AVC msg=audit(1371642012.216:594): avc: denied { remove_name } for pid=9189 comm="mandb" name="#index.db#" dev="dm-1" ino=2497614 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:man_t:s0 tclass=dir type=AVC msg=audit(1371642012.216:594): avc: denied { rename } for pid=9189 comm="mandb" name="#index.db#" dev="dm-1" ino=2497614 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:man_t:s0 tclass=file type=AVC msg=audit(1371642012.216:594): avc: denied { unlink } for pid=9189 comm="mandb" name="index.db" dev="dm-1" ino=2497656 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:man_t:s0 tclass=file type=SYSCALL msg=audit(1371642012.216:594): arch=x86_64 syscall=rename success=yes exit=0 a0=19df8e0 a1=1b5b380 a2=6 a3=2aaaaaab items=0 ppid=9184 pid=9189 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=8 tty=(none) comm=mandb exe=/usr/bin/mandb subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null) Hash: mandb,mandb_t,man_t,dir,remove_name audit2allow #============= mandb_t ============== allow mandb_t man_t:dir remove_name; allow mandb_t man_t:file { rename unlink }; audit2allow -R require { type mandb_t; } #============= mandb_t ============== miscfiles_delete_man_pages(mandb_t) miscfiles_manage_man_pages(mandb_t) Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-201.fc18.x86_64 type: libreport