Bug 1648655 - SELinux is preventing sss_cache from 'write' accesses on the file config.ldb.
Summary: SELinux is preventing sss_cache from 'write' accesses on the file config.ldb.
Keywords:
Status: CLOSED DUPLICATE of bug 1640255
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:225824ead181aa5132282baf70f...
: 1677909 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-11 12:29 UTC by Mai Ling
Modified: 2019-02-16 18:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-13 08:29:00 UTC
Type: ---


Attachments (Terms of Use)

Description Mai Ling 2018-11-11 12:29:03 UTC
Description of problem:
sudo dnf --refresh upgrade
SELinux is preventing sss_cache from 'write' accesses on the file config.ldb.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sss_cache should be allowed write access on the config.ldb file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache
# semodule -X 300 -i my-ssscache.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                config.ldb [ file ]
Source                        sss_cache
Source Path                   sss_cache
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-37.fc29.noarch selinux-
                              policy-3.14.2-42.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.13-300.fc29.x86_64 #1 SMP Wed
                              Oct 10 17:22:50 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-11-11 14:26:41 EET
Last Seen                     2018-11-11 14:26:41 EET
Local ID                      a5380f8c-a6a8-4c80-aa4d-6917b096ee06

Raw Audit Messages
type=AVC msg=audit(1541939201.665:345): avc:  denied  { write } for  pid=24081 comm="sss_cache" name="config.ldb" dev="sda3" ino=35224736 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0


Hash: sss_cache,groupadd_t,sssd_var_lib_t,file,write

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.13-300.fc29.x86_64
type:           libreport

Potential duplicate: bug 1640255

Comment 1 Mai Ling 2018-11-11 20:00:43 UTC
Description of problem:
it appeared during this:


[asus@localhost ~]$ sudo dnf remove blender
Dependencies resolved.
================================================================================
 Package                 Arch     Version              Repository          Size
================================================================================
Removing:
 blender                 x86_64   1:2.79b-9.fc29       @updates           143 M
Removing unused dependencies:
 CharLS                  x86_64   1.0-17.fc29          @fedora            239 k
 Field3D                 x86_64   1.7.2-11.fc29        @fedora            2.7 M
 OpenColorIO             x86_64   1.1.0-8.fc29         @fedora            1.6 M
 OpenImageIO             x86_64   1.8.16-1.fc29        @updates            11 M
 alembic-libs            x86_64   1.7.8-1.fc29         @fedora            2.3 M
 blender-fonts           noarch   1:2.79b-9.fc29       @updates           4.9 M
 boost-program-options   x86_64   1.66.0-14.fc29       @fedora            592 k
 boost-regex             x86_64   1.66.0-14.fc29       @fedora            1.2 M
 dcmtk                   x86_64   3.6.2-4.fc29         @fedora             31 M
 libGLEW                 x86_64   2.1.0-2.fc29         @fedora            670 k
 libspnav                x86_64   0.2.3-8.fc29         @fedora             22 k
 openCOLLADA             x86_64   1.6.63-1.fc29        @fedora             11 M
 openblas-threads        x86_64   0.3.3-2.fc29         @updates-testing    40 M
 pugixml                 x86_64   1.9-2.fc29           @fedora            249 k
 python3-numpy           x86_64   1:1.15.1-1.fc29      @updates-testing    17 M
 tinyxml                 x86_64   2.6.2-17.fc29        @fedora            136 k
 yaml-cpp                x86_64   0.6.1-4.fc29         @updates-testing   498 k

Transaction Summary
================================================================================
Remove  18 Packages

Freed space: 268 M
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
Erase: blender-1:2.79b-9.fc29.x86_64
  Erasing          : blender-1:2.79b-9.fc29.x86_64                         1/18 
Erase: blender-1:2.79b-9.fc29.x86_64
  Running scriptlet: blender-1:2.79b-9.fc29.x86_64                         1/18 
Erase: OpenImageIO-1.8.16-1.fc29.x86_64
  Erasing          : OpenImageIO-1.8.16-1.fc29.x86_64                      2/18 
Erase: OpenImageIO-1.8.16-1.fc29.x86_64
Erase: OpenColorIO-1.1.0-8.fc29.x86_64
  Erasing          : OpenColorIO-1.1.0-8.fc29.x86_64                       3/18 
Erase: OpenColorIO-1.1.0-8.fc29.x86_64
Erase: Field3D-1.7.2-11.fc29.x86_64
  Erasing          : Field3D-1.7.2-11.fc29.x86_64                          4/18 
Erase: Field3D-1.7.2-11.fc29.x86_64
Erase: dcmtk-3.6.2-4.fc29.x86_64
  Erasing          : dcmtk-3.6.2-4.fc29.x86_64                             5/18 
Erase: dcmtk-3.6.2-4.fc29.x86_64
Erase: python3-numpy-1:1.15.1-1.fc29.x86_64
  Erasing          : python3-numpy-1:1.15.1-1.fc29.x86_64                  6/18 
Erase: python3-numpy-1:1.15.1-1.fc29.x86_64
Erase: blender-fonts-1:2.79b-9.fc29.noarch
  Erasing          : blender-fonts-1:2.79b-9.fc29.noarch                   7/18 
Erase: blender-fonts-1:2.79b-9.fc29.noarch
Erase: openblas-threads-0.3.3-2.fc29.x86_64
  Erasing          : openblas-threads-0.3.3-2.fc29.x86_64                  8/18 
Erase: openblas-threads-0.3.3-2.fc29.x86_64
  Running scriptlet: openblas-threads-0.3.3-2.fc29.x86_64                  8/18 
Erase: CharLS-1.0-17.fc29.x86_64
  Erasing          : CharLS-1.0-17.fc29.x86_64                             9/18 
Erase: CharLS-1.0-17.fc29.x86_64
  Running scriptlet: CharLS-1.0-17.fc29.x86_64                             9/18 
Erase: boost-program-options-1.66.0-14.fc29.x86_64
  Erasing          : boost-program-options-1.66.0-14.fc29.x86_64          10/18 
Erase: boost-program-options-1.66.0-14.fc29.x86_64
Erase: boost-regex-1.66.0-14.fc29.x86_64
  Erasing          : boost-regex-1.66.0-14.fc29.x86_64                    11/18 
Erase: boost-regex-1.66.0-14.fc29.x86_64
Erase: tinyxml-2.6.2-17.fc29.x86_64
  Erasing          : tinyxml-2.6.2-17.fc29.x86_64                         12/18 
Erase: tinyxml-2.6.2-17.fc29.x86_64
  Running scriptlet: tinyxml-2.6.2-17.fc29.x86_64                         12/18 
Erase: yaml-cpp-0.6.1-4.fc29.x86_64
  Erasing          : yaml-cpp-0.6.1-4.fc29.x86_64                         13/18 
Erase: yaml-cpp-0.6.1-4.fc29.x86_64
  Running scriptlet: yaml-cpp-0.6.1-4.fc29.x86_64                         13/18 
Erase: pugixml-1.9-2.fc29.x86_64
  Erasing          : pugixml-1.9-2.fc29.x86_64                            14/18 
Erase: pugixml-1.9-2.fc29.x86_64
  Running scriptlet: pugixml-1.9-2.fc29.x86_64                            14/18 
Erase: alembic-libs-1.7.8-1.fc29.x86_64
  Erasing          : alembic-libs-1.7.8-1.fc29.x86_64                     15/18 
Erase: alembic-libs-1.7.8-1.fc29.x86_64
  Running scriptlet: alembic-libs-1.7.8-1.fc29.x86_64                     15/18 
Erase: libGLEW-2.1.0-2.fc29.x86_64
  Erasing          : libGLEW-2.1.0-2.fc29.x86_64                          16/18 
Erase: libGLEW-2.1.0-2.fc29.x86_64
Erase: openCOLLADA-1.6.63-1.fc29.x86_64
  Erasing          : openCOLLADA-1.6.63-1.fc29.x86_64                     17/18 
Erase: openCOLLADA-1.6.63-1.fc29.x86_64
Erase: libspnav-0.2.3-8.fc29.x86_64
  Erasing          : libspnav-0.2.3-8.fc29.x86_64                         18/18 
Erase: libspnav-0.2.3-8.fc29.x86_64
  Running scriptlet: libspnav-0.2.3-8.fc29.x86_64                         18/18 
  Verifying        : CharLS-1.0-17.fc29.x86_64                             1/18 
  Verifying        : Field3D-1.7.2-11.fc29.x86_64                          2/18 
  Verifying        : OpenColorIO-1.1.0-8.fc29.x86_64                       3/18 
  Verifying        : OpenImageIO-1.8.16-1.fc29.x86_64                      4/18 
  Verifying        : alembic-libs-1.7.8-1.fc29.x86_64                      5/18 
  Verifying        : blender-1:2.79b-9.fc29.x86_64                         6/18 
  Verifying        : blender-fonts-1:2.79b-9.fc29.noarch                   7/18 
  Verifying        : boost-program-options-1.66.0-14.fc29.x86_64           8/18 
  Verifying        : boost-regex-1.66.0-14.fc29.x86_64                     9/18 
  Verifying        : dcmtk-3.6.2-4.fc29.x86_64                            10/18 
  Verifying        : libGLEW-2.1.0-2.fc29.x86_64                          11/18 
  Verifying        : libspnav-0.2.3-8.fc29.x86_64                         12/18 
  Verifying        : openCOLLADA-1.6.63-1.fc29.x86_64                     13/18 
  Verifying        : openblas-threads-0.3.3-2.fc29.x86_64                 14/18 
  Verifying        : pugixml-1.9-2.fc29.x86_64                            15/18 
  Verifying        : python3-numpy-1:1.15.1-1.fc29.x86_64                 16/18 
  Verifying        : tinyxml-2.6.2-17.fc29.x86_64                         17/18 
  Verifying        : yaml-cpp-0.6.1-4.fc29.x86_64                         18/18 

Removed:
  blender-1:2.79b-9.fc29.x86_64                                                 
  CharLS-1.0-17.fc29.x86_64                                                     
  Field3D-1.7.2-11.fc29.x86_64                                                  
  OpenColorIO-1.1.0-8.fc29.x86_64                                               
  OpenImageIO-1.8.16-1.fc29.x86_64                                              
  alembic-libs-1.7.8-1.fc29.x86_64                                              
  blender-fonts-1:2.79b-9.fc29.noarch                                           
  boost-program-options-1.66.0-14.fc29.x86_64                                   
  boost-regex-1.66.0-14.fc29.x86_64                                             
  dcmtk-3.6.2-4.fc29.x86_64                                                     
  libGLEW-2.1.0-2.fc29.x86_64                                                   
  libspnav-0.2.3-8.fc29.x86_64                                                  
  openCOLLADA-1.6.63-1.fc29.x86_64                                              
  openblas-threads-0.3.3-2.fc29.x86_64                                          
  pugixml-1.9-2.fc29.x86_64                                                     
  python3-numpy-1:1.15.1-1.fc29.x86_64                                          
  tinyxml-2.6.2-17.fc29.x86_64                                                  
  yaml-cpp-0.6.1-4.fc29.x86_64                                                  

Complete!

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.20.0-0.rc1.git1.2.fc30.x86_64
type:           libreport

Comment 2 Lukas Slebodnik 2018-11-13 08:29:00 UTC

*** This bug has been marked as a duplicate of bug 1640255 ***

Comment 3 Emre 2019-02-16 18:41:43 UTC
*** Bug 1677909 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.