Bug 1177717 - couchdb selinux: gconf_home_t AVC
Summary: couchdb selinux: gconf_home_t AVC
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-30 04:01 UTC by Warren Togami
Modified: 2015-01-30 23:55 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-30 23:55:33 UTC
Type: Bug


Attachments (Terms of Use)

Description Warren Togami 2014-12-30 04:01:08 UTC
selinux-policy-3.13.1-103.fc21
couchdb-1.6.1-4.fc21.x86_64

Reproduce Procedure:
1. Apply the fix in Bug #1177716 to the couchdb semodule.
2. yum install couchdb
3. systemctl start couchdb.service

type=AVC msg=audit(1419911091.723:2412): avc:  denied  { search } for  pid=1344 comm="df" name=".local" dev="dm-6" ino=1310771 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir permissive=0

Comment 1 Lukas Vrabec 2015-01-15 11:27:11 UTC
Hi, 
Do you know why couchdb need this search? 
I prefer add dontaudit rule what do you think?

Comment 2 Warren Togami 2015-01-15 22:36:14 UTC
Yes, this in particular it doesn't need.  dontaudit is fine.

Comment 3 Lukas Vrabec 2015-01-23 21:36:19 UTC
commit e87f093a4f4b534d85f07f4d50b6ef6763e25bef
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Jan 23 22:35:29 2015 +0100

    Dontaudit couchdb search in gconf_home_t. BZ(1177717)

Comment 4 Fedora Update System 2015-01-27 16:50:13 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 5 Fedora Update System 2015-01-30 04:33:04 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-01-30 23:55:33 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.