Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1275246 - SELinux prevents redis-sentinel from writing to /etc/redis-sentinel.conf
SELinux prevents redis-sentinel from writing to /etc/redis-sentinel.conf
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-26 07:14 EDT by Milos Malik
Modified: 2016-11-03 22:23 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-66.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:23:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2435021 None None None 2016-07-11 03:46 EDT
Red Hat Product Errata RHBA-2016:2283 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 09:36:25 EDT

  None (edit)
Description Milos Malik 2015-10-26 07:14:11 EDT 
Description of problem:


Version-Release number of selected component (if applicable):
redis-2.8.21-1.el7ost.x86_64
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-devel-3.13.1-60.el7.noarch
selinux-policy-doc-3.13.1-60.el7.noarch
selinux-policy-minimum-3.13.1-60.el7.noarch
selinux-policy-mls-3.13.1-60.el7.noarch
selinux-policy-sandbox-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.2 machine
2. service redis-sentinel start
3. search for SELinux denials

Actual results (enforcing mode):
----
time->Mon Oct 26 00:47:26 2015
type=SYSCALL msg=audit(1445816846.705:97): arch=c000003e syscall=21 success=no exit=-13 a0=7fd6a48110a8 a1=2 a2=29 a3=3a items=0 ppid=1 pid=31198 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="redis-sentinel" exe="/usr/bin/redis-server" subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(1445816846.705:97): avc:  denied  { write } for  pid=31198 comm="redis-sentinel" name="redis-sentinel.conf" dev="dm-0" ino=135827335 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
----

Actual results (permissive mode):
----
type=PATH msg=audit(10/26/2015 12:09:21.760:168) : item=0 name=/etc/redis-sentinel.conf inode=17489075 dev=fd:03 mode=file,644 ouid=redis ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/26/2015 12:09:21.760:168) :  cwd=/tmp 
type=SYSCALL msg=audit(10/26/2015 12:09:21.760:168) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f997a0ba068 a1=W_OK a2=0x1a a3=0x3a items=1 ppid=1 pid=3109 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-sentinel exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(10/26/2015 12:09:21.760:168) : avc:  denied  { write } for  pid=3109 comm=redis-sentinel name=redis-sentinel.conf dev="vda3" ino=17489075 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 
----
type=SOCKADDR msg=audit(10/26/2015 12:09:21.761:169) : saddr=inet host:127.0.0.1 serv:6379 
type=SYSCALL msg=audit(10/26/2015 12:09:21.761:169) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x6 a1=0x7f997a0b31b0 a2=0x10 a3=0x0 items=0 ppid=1 pid=3109 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-sentinel exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(10/26/2015 12:09:21.761:169) : avc:  denied  { name_connect } for  pid=3109 comm=redis-sentinel dest=6379 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket 
----

Expected results:
 * no SELinux denials
Comment 6 errata-xmlrpc 2016-11-03 22:23:48 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.