Bug 1514867 - selinux prevents memcached from starting
Summary: selinux prevents memcached from starting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-19 01:47 UTC by Scott Shambarger
Modified: 2018-06-04 14:40 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-283.17.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-28 23:54:01 UTC
Type: Bug


Attachments (Terms of Use)

Description Scott Shambarger 2017-11-19 01:47:22 UTC
Description of problem:
type=AVC msg=audit(11/18/2017 17:37:53.371:1179) : avc:  denied  { nnp_transition } for  pid=5165 comm=(emcached) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=process2 permissive=0 

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

Results in memcached crashing on startup:

systemd[1]: memcached.service: Main process exited, code=killed, status=11/SEGV

Adding the following policy allowed memcached to work as expected:

allow init_t memcached_t:process2 nnp_transition;

This is probably related to the new systemd option in memcached.service:

NoNewPrivileges=true

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.14.fc27.noarch
memcached-1.5.1-1.fc27.x86_64

Comment 1 Fedora Update System 2017-11-22 08:55:39 UTC
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 2 Fedora Update System 2017-11-22 21:41:36 UTC
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 3 Scott Shambarger 2017-11-23 00:40:41 UTC
Works in latest release... adding karma :)

Comment 4 Fedora Update System 2017-11-28 23:54:01 UTC
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.