Bug 989773
| Summary: | mock is denied access to rpmdb when it runs repoquery | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Garrett Holmstrom <gholms> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.11.1-103.fc18 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-23 00:43:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I need to back port mock fixes from F19. commit 2aed9c0bd018d80155df7b94db66f5ea0cc55fff
Author: Miroslav Grepl <mgrepl>
Date: Thu Aug 8 14:49:26 2013 +0200
Back port mock fixes from F19
selinux-policy-3.11.1-101.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-101.fc18 Package selinux-policy-3.11.1-101.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-101.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15645/selinux-policy-3.11.1-101.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-103.fc18 selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: I'm trying to run mock on an enforcing system (as staff_u, if that matters), and after I set the mock_enable_homedirs boolean it gets to the "Outputting list of available packages" stage and then crashes when it tries to run repoquery. The AVCs appear to be dontaudited, but here they are just in case they actually aren't supposed to happen: time->Mon Jul 29 14:31:44 2013 type=SYSCALL msg=audit(1375133504.040:902): arch=c000003e syscall=4 success=no exit=-13 a0=189ff10 a1=7fff6acce180 a2=7fff6acce180 a3=d items=0 ppid=4219 pid=4220 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm="repoquery" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1375133504.040:902): avc: denied { getattr } for pid=4220 comm="repoquery" path="/var/lib/rpm" dev="dm-1" ino=264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Mon Jul 29 14:31:44 2013 type=SYSCALL msg=audit(1375133504.073:904): arch=c000003e syscall=4 success=no exit=-13 a0=1927590 a1=7fff6acce9d0 a2=7fff6acce9d0 a3=d items=0 ppid=4219 pid=4220 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm="repoquery" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1375133504.073:904): avc: denied { getattr } for pid=4220 comm="repoquery" path="/var/lib/rpm" dev="dm-1" ino=264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir ---- time->Mon Jul 29 14:31:44 2013 type=SYSCALL msg=audit(1375133504.186:912): arch=c000003e syscall=6 success=no exit=-13 a0=1f0d490 a1=7fff54aee920 a2=7fff54aee920 a3=20 items=0 ppid=3835 pid=3838 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=pts1 comm="mock" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1375133504.186:912): avc: denied { getattr } for pid=3838 comm="mock" path="/run/user" dev="tmpfs" ino=15264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir ---- time->Mon Jul 29 14:31:44 2013 type=SYSCALL msg=audit(1375133504.186:913): arch=c000003e syscall=6 success=no exit=-13 a0=1f0d490 a1=7fff54aee920 a2=7fff54aee920 a3=20 items=0 ppid=3835 pid=3838 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=pts1 comm="mock" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1375133504.186:913): avc: denied { search } for pid=3838 comm="mock" name="user" dev="tmpfs" ino=15264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir ---- time->Mon Jul 29 14:31:44 2013 type=SYSCALL msg=audit(1375133504.186:914): arch=c000003e syscall=6 success=no exit=-13 a0=1f0d490 a1=7fff54aee920 a2=7fff54aee920 a3=20 items=0 ppid=3835 pid=3838 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=pts1 comm="mock" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1375133504.186:914): avc: denied { search } for pid=3838 comm="mock" name="user" dev="tmpfs" ino=15264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir AFAICT that corresponds to rpm_read_db(mock_t) and userdom_search_user_tmp_dirs(mock_t), but I haven't tested that guess yet. Version-Release number of selected component (if applicable): mock-1.1.32-1.fc18.noarch selinux-policy-3.11.1-98.fc18.noarch Steps to Reproduce: 1. sudo semodule -DB 2. (Log in as staff_t with "mock" group membership) 3. mock -r epel-6-x86_64 $foo.src.rpm 4. sudo ausearch -ts recent -sv no -su mock_t