Bug 1116014 - policy erroneously claims all erlang
Summary: policy erroneously claims all erlang
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-03 13:51 UTC by Warren Togami
Modified: 2018-04-11 17:19 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.12.1-185.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-05-31 21:20:21 UTC
Type: Bug

Attachments (Terms of Use)

Description Warren Togami 2014-07-03 13:51:02 UTC

/usr/lib/erlang/erts.*/bin/beam.*       --      gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
/usr/lib/erlang/erts.*/bin/epmd --      gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)

beam.* is erlang's Virtual Machine.  All erlang programs run it, so it is not appropriate to apply its restrictions on all erlang programs.

epmd is similarly used by many erlang programs.

Are there other examples of generic interpreters or VM's used by many services?

Comment 1 Warren Togami 2014-07-03 14:34:57 UTC
tfirg said:
/usr/lib64/erlang/erts-5.10.4/bin/erl needs to be bin_t

It is currently lib_t which is wrong.

Comment 2 Warren Togami 2014-07-06 08:06:41 UTC

These must be bin_t.

Comment 3 Warren Togami 2014-07-06 08:23:42 UTC
Modified the upstream refpolicy-contrib:

* Switched back from init_daemon_pid_file to init_daemon_run_dir because Fedora's policy does not yet have https://github.com/TresysTechnology/refpolicy/commit/d64826b60609afab013c4972a5f53ad4e67430ed

* Added Fedora's path to couchjs to solve Bug #1096274.

It still has some problems ...

type=AVC msg=audit(1404632007.715:5116): avc:  denied  { write } for  pid=4274 comm="beam.smp" name="self.ini" dev="dm-0" ino=666198 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:couchdb_conf_t:s0 tclass=file

beam.smp can't write to the .ini file.

type=AVC msg=audit(1404632007.556:5115): avc:  denied  { getattr } for  pid=4286 comm="df" path="/sys/kernel/config" dev="configfs" ino=1514 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir

The dontaudit rules seem to not work?

Comment 4 Warren Togami 2014-07-06 08:29:35 UTC
Running /usr/bin/erl directly from systemd failed to run with the couchdb_t context.  couchdb-1.6.0-7+ added /usr/libexec/couchdb as a wrapper for erl which does run as couchdb_t.

Comment 5 Warren Togami 2014-07-07 08:18:49 UTC
Please see my blog entry on the multiple things in selinux-policy that must be fixed.  I have fixed the couchdb semodule and erlang for general use.

rabbitmq, riak and other erlang services may need developers familiar with them to ensure their policies actually work.  Note that on distros with systemd (Fedora and RHEL 7) none of these services were actually using their respective semodules.  This means the many bug reports on selinux-policy or these packages are only adding to the confusion.

Comment 6 Warren Togami 2014-07-07 08:20:24 UTC
Fixed couchdb semodule

Part of this must go into the core policy.

Comment 7 Lukas Vrabec 2014-09-11 15:31:10 UTC
It's fixed in selinux-policy-3.12.1-185.fc20

Thank you for your report.

Comment 8 Fedora Update System 2014-09-23 08:29:26 UTC
selinux-policy-3.12.1-186.fc20 has been submitted as an update for Fedora 20.

Comment 9 Fedora Update System 2014-09-25 10:44:51 UTC
Package selinux-policy-3.12.1-186.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-186.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2014-09-25 16:57:39 UTC
selinux-policy-3.12.1-187.fc20 has been submitted as an update for Fedora 20.

Comment 11 Warren Togami 2014-09-28 04:22:22 UTC
This is still very broken.

Comment 12 Fedora Update System 2014-09-30 08:36:31 UTC
selinux-policy-3.12.1-188.fc20 has been submitted as an update for Fedora 20.

Comment 13 Fedora Update System 2014-10-01 04:23:00 UTC
Package selinux-policy-3.12.1-188.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-188.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 14 Myroslav Opyr 2014-10-24 17:04:23 UTC
I'd installed selinux-policy-3.12.1-192.fc20 and it resolved my Erlang issues.

Note that my CouchDB instance is not "stock" one but is running in user home folder. I.e. its couchdb.database_dir,couchdb.view_index_dir and log.file are in user home folder, and running under that user uid.

Comment 15 Fedora End Of Life 2015-05-29 12:17:28 UTC
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.