1187183 – SELinux is preventing dnssec-trigger- from 'read' accesses on the directory /var/tmp.

Bug 1187183 - SELinux is preventing dnssec-trigger- from 'read' accesses on the directory /var/tmp.

Summary: SELinux is preventing dnssec-trigger- from 'read' accesses on the directory /...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	21
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:a0833cbc6b2ba6dc9cd14d37a4b...
Depends On:
Blocks:	Default_Local_DNS_Resolver
TreeView+	depends on / blocked

Reported:	2015-01-29 13:49 UTC by Charles R. Anderson
Modified:	2015-04-13 22:47 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-04-13 13:39:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Charles R. Anderson 2015-01-29 13:49:53 UTC

Description of problem:
SELinux is preventing dnssec-trigger- from 'read' accesses on the directory /var/tmp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dnssec-trigger- should be allowed read access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dnssec-trigger- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dnssec_trigger_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /var/tmp [ dir ]
Source                        dnssec-trigger-
Source Path                   dnssec-trigger-
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.2-28.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.18.3-201.fc21.x86_64 #1 SMP Mon
                              Jan 19 15:59:31 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-01-29 08:48:12 EST
Last Seen                     2015-01-29 08:48:12 EST
Local ID                      0dbce163-7726-45a4-a890-2894c1e66fbd

Raw Audit Messages
type=AVC msg=audit(1422539292.479:2388): avc:  denied  { read } for  pid=26895 comm="dnssec-trigger-" name="tmp" dev="dm-1" ino=422045 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0


Hash: dnssec-trigger-,dnssec_trigger_t,tmp_t,dir,read

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport

Comment 1 Charles R. Anderson 2015-01-29 14:16:54 UTC

I think this was caused during a "dnf update" while the system was running. dnssec-triger and systemd were bot updated.  dnssec-trigger also crashed during this time.

Jan 29 08:48:11 a dnssec-triggerd[1271]: [1271] info: dnssec-trigger 0.12 stop
Jan 29 08:48:11 a python[26853]: detected unhandled Python exception in '/usr/libexec/dnssec-trigger-script'
Jan 29 08:48:12 a dbus[744]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jan 29 08:48:12 a dbus[744]: [system] Successfully activated service 'org.freedesktop.problems'
Jan 29 08:48:12 a dnssec-trigger-script[26853]: Traceback (most recent call last):
Jan 29 08:48:12 a dnssec-trigger-script[26853]: File "/usr/libexec/dnssec-trigger-script", line 48, in <module>
Jan 29 08:48:12 a dnssec-trigger-script[26853]: class Config:
Jan 29 08:48:12 a dnssec-trigger-script[26853]: File "/usr/libexec/dnssec-trigger-script", line 60, in Config
Jan 29 08:48:12 a dnssec-trigger-script[26853]: "use_private_address_ranges": TRUE,
Jan 29 08:48:12 a dnssec-trigger-script[26853]: NameError: name 'TRUE' is not defined
Jan 29 08:48:12 a python[26878]: detected unhandled Python exception in '/usr/libexec/dnssec-trigger-script'
Jan 29 08:48:12 a abrt-server[26890]: Not saving repeating crash in '/usr/libexec/dnssec-trigger-script'
Jan 29 08:48:12 a dnssec-trigger-script[26878]: Traceback (most recent call last):
Jan 29 08:48:12 a dnssec-trigger-script[26878]: File "/usr/libexec/dnssec-trigger-script", line 48, in <module>
Jan 29 08:48:12 a dnssec-trigger-script[26878]: class Config:
Jan 29 08:48:12 a dnssec-trigger-script[26878]: File "/usr/libexec/dnssec-trigger-script", line 60, in Config
Jan 29 08:48:12 a dnssec-trigger-script[26878]: "use_private_address_ranges": TRUE,
Jan 29 08:48:12 a dnssec-trigger-script[26878]: NameError: name 'TRUE' is not defined
Jan 29 08:48:12 a dnssec-triggerd[26891]: [26891] info: dnssec-trigger 0.12 start
Jan 29 08:48:12 a dbus[744]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan 29 08:48:12 a python[26893]: detected unhandled Python exception in '/usr/libexec/dnssec-trigger-script'
Jan 29 08:48:12 a python[26895]: detected unhandled Python exception in '/usr/libexec/dnssec-trigger-script'
Jan 29 08:48:12 a abrt-server[26904]: Not saving repeating crash in '/usr/libexec/dnssec-trigger-script'
Jan 29 08:48:12 a dnssec-trigger-script[26893]: Traceback (most recent call last):
Jan 29 08:48:12 a dnssec-trigger-script[26893]: File "/usr/libexec/dnssec-trigger-script", line 48, in <module>
Jan 29 08:48:12 a dnssec-trigger-script[26893]: class Config:
Jan 29 08:48:12 a dnssec-trigger-script[26893]: File "/usr/libexec/dnssec-trigger-script", line 60, in Config
Jan 29 08:48:12 a dnssec-trigger-script[26893]: "use_private_address_ranges": TRUE,
Jan 29 08:48:12 a dnssec-trigger-script[26893]: NameError: name 'TRUE' is not defined
Jan 29 08:48:12 a dnssec-triggerd[26891]: error: cannot open Packages database in /var/lib/rpm
Jan 29 08:48:12 a dnssec-triggerd[26891]: Traceback (most recent call last):
Jan 29 08:48:12 a dnssec-triggerd[26891]: File "/usr/libexec/dnssec-trigger-script", line 48, in <module>
Jan 29 08:48:12 a dnssec-triggerd[26891]: class Config:
Jan 29 08:48:12 a dnssec-triggerd[26891]: File "/usr/libexec/dnssec-trigger-script", line 60, in Config
Jan 29 08:48:12 a dnssec-triggerd[26891]: "use_private_address_ranges": TRUE,
Jan 29 08:48:12 a dnssec-triggerd[26891]: NameError: name 'TRUE' is not defined
Jan 29 08:48:12 a systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configurati
Jan 29 08:48:12 a systemd[1]: Configuration file /usr/lib/systemd/system/wpa_supplicant.service is marked executable. Please remove executable permissi
Jan 29 08:48:13 a systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configurati
Jan 29 08:48:13 a dbus[744]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan 29 08:48:13 a systemd[1]: Configuration file /usr/lib/systemd/system/wpa_supplicant.service is marked executable. Please remove executable permissi
Jan 29 08:48:13 a setroubleshoot[26901]: SELinux is preventing sh from execute access on the file /usr/sbin/ldconfig. For complete SELinux messages. ru
Jan 29 08:48:13 a python[26901]: SELinux is preventing sh from execute access on the file /usr/sbin/ldconfig.

Comment 2 Lukas Vrabec 2015-03-16 15:39:58 UTC

Hi, 
Could you reproduce this issue?

Comment 3 Charles R. Anderson 2015-04-13 13:39:42 UTC

Cannot reproduce.

Comment 4 Lukas Vrabec 2015-04-13 22:47:35 UTC

Thank you for testing!

Note You need to log in before you can comment on or make changes to this bug.