Bug 1154327 - SELinux is preventing /usr/lib64/erlang/erts-5.10.4/bin/erlexec from 'execute' accesses on the file .
Summary: SELinux is preventing /usr/lib64/erlang/erts-5.10.4/bin/erlexec from 'execute...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d9f3066c54e224b3026c3ea555e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-18 20:11 UTC by Aaron Hamid
Modified: 2014-10-28 06:38 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-192.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-28 06:38:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Aaron Hamid 2014-10-18 20:11:48 UTC
Description of problem:
systemd failed to start couchdb because couchdb could not exec an erlang binary
Once again couchdb update has broken selinux or vice versa.  On my 64bit system, erlang binaries are now in /usr/lib64 which invalidates the existing rabbitmq filecontexts that were in place:

/usr/lib/erlang/erts.*/bin/beam.*       --      gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
/usr/lib/erlang/erts.*/bin/epmd --      gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)

There is apparently a new couchdb specific file context: 'couchdb_exec_t'

The binaries in the new lib64 location have a default context, I had to change them with these commands:

sudo chcon -v -t couchdb_exec_t /usr/lib64/erlang/erts-5.10.4/bin/beam.*
sudo chcon -v -t couchdb_exec_t /usr/lib64/erlang/erts-5.10.4/bin/epmd


SELinux is preventing /usr/lib64/erlang/erts-5.10.4/bin/erlexec from 'execute' accesses on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that erlexec should be allowed execute access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep erlexec /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:couchdb_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                 [ file ]
Source                        erlexec
Source Path                   /usr/lib64/erlang/erts-5.10.4/bin/erlexec
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           erlang-erts-R16B-03.7.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-189.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.6-200.fc20.x86_64 #1 SMP Wed
                              Oct 15 13:06:51 UTC 2014 x86_64 x86_64
Alert Count                   10
First Seen                    2014-10-18 15:37:43 EDT
Last Seen                     2014-10-18 15:42:19 EDT
Local ID                      089e139e-65d6-4ddc-a257-f9f98d8f96de

Raw Audit Messages
type=AVC msg=audit(1413661339.786:705): avc:  denied  { execute } for  pid=25205 comm="erlexec" name="beam.smp" dev="dm-2" ino=921800 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1413661339.786:705): arch=x86_64 syscall=execve success=no exit=EACCES a0=a03050 a1=a032f0 a2=7fff76d51dc8 a3=7fff76d51850 items=0 ppid=1 pid=25205 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=erlexec exe=/usr/lib64/erlang/erts-5.10.4/bin/erlexec subj=system_u:system_r:couchdb_t:s0 key=(null)

Hash: erlexec,couchdb_t,unlabeled_t,file,execute

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.6-200.fc20.x86_64
type:           libreport

Comment 1 Aaron Hamid 2014-10-19 01:16:24 UTC
And now I see a difference denial regarding the 'df' tool, so perhaps my quick fix was not comprehensive:

SELinux is preventing /usr/bin/df from search access on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that df should be allowed search access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep df /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:couchdb_t:s0
Target Context                system_u:object_r:sysctl_fs_t:s0
Target Objects                 [ dir ]
Source                        df
Source Path                   /usr/bin/df
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.21-21.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-189.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.6-200.fc20.x86_64 #1 SMP Wed Oct
                              15 13:06:51 UTC 2014 x86_64 x86_64
Alert Count                   6
First Seen                    2014-10-18 15:59:48 EDT
Last Seen                     2014-10-18 16:59:48 EDT
Local ID                      71555f05-7390-47d1-a2cd-85111f6d9c43

Raw Audit Messages
type=AVC msg=audit(1413665988.725:837): avc:  denied  { search } for  pid=30601 comm="df" name="fs" dev="proc" ino=9937 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1413665988.725:837): arch=x86_64 syscall=statfs success=no exit=EACCES a0=a3a840 a1=7fff0f97c5d0 a2=7fff0f97c8f0 a3=0 items=0 ppid=27467 pid=30601 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=df exe=/usr/bin/df subj=system_u:system_r:couchdb_t:s0 key=(null)

Hash: df,couchdb_t,sysctl_fs_t,dir,search

Comment 2 Aaron Hamid 2014-10-19 04:51:34 UTC
The subsequent denials of '/usr/bin/df' seem related to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=969757

couchdb (erlang) is trying to run df for some reason.

Comment 3 Lukas Vrabec 2014-10-21 10:51:09 UTC
commit 0df8aeee19de7bc3534516a12c41c3a6edecf563
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 21 12:49:47 2014 +0200

    Allow couchdb read sysctl_fs_t files. BZ(1154327)

fixed in rawhide,F21,F20

Comment 4 Aaron Hamid 2014-10-21 20:41:57 UTC
Excellent, thanks so much Lukas!

Comment 5 Lukas Vrabec 2014-10-22 07:54:14 UTC
No problem :)

Comment 6 Fedora Update System 2014-10-22 11:52:53 UTC
selinux-policy-3.12.1-192.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-192.fc20

Comment 7 Fedora Update System 2014-10-23 06:23:49 UTC
Package selinux-policy-3.12.1-192.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-192.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13495/selinux-policy-3.12.1-192.fc20
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-10-28 06:38:43 UTC
selinux-policy-3.12.1-192.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.