Bug 250368 - setroubleshoot error while updating nfs-utils
Summary: setroubleshoot error while updating nfs-utils
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-01 04:36 UTC by Andre Robatino
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-15 10:26:26 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Andre Robatino 2007-08-01 04:36:13 UTC
Description of problem:
  While yum was updating authconfig-gtk, the following appeared in
/var/log/messages:

Jul 31 22:58:04 localhost yum: Updated: authconfig-gtk.i386 5.3.15-1.fc7
Jul 31 22:58:05 localhost setroubleshoot:      SELinux is preventing /usr/sbin/s
m-notify (rpcd_t) "search" to <Unknown> (sysctl_fs_t).      For complete SELinux
 messages. run sealert -l 55c0814f-e7f1-4ed4-ba78-93b7b1e36960
Jul 31 22:58:06 localhost setroubleshoot:      SELinux is preventing /sbin/rpc.s
tatd (rpcd_t) "search" to <Unknown> (sysctl_fs_t).      For complete SELinux mes
sages. run sealert -l 55c0814f-e7f1-4ed4-ba78-93b7b1e36960

and this command shows

[root@localhost ~]# sealert -l 55c0814f-e7f1-4ed4-ba78-93b7b1e36960
Summary
    SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to <Unknown>
    (sysctl_fs_t).

Detailed Description
    SELinux denied access requested by /sbin/rpc.statd. It is not expected that
    this access is required by /sbin/rpc.statd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:rpcd_t
Target Context                system_u:object_r:sysctl_fs_t
Target Objects                None [ dir ]
Affected RPM Packages         nfs-utils-1.0.12-4.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-29.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.22.1-33.fc7 #1 SMP
                              Mon Jul 23 17:33:07 EDT 2007 i686 i686
Alert Count                   2
First Seen                    Tue Jul 31 22:58:03 2007
Last Seen                     Tue Jul 31 22:58:03 2007
Local ID                      55c0814f-e7f1-4ed4-ba78-93b7b1e36960
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="rpc.statd" egid=0 euid=0 exe="/sbin/rpc.statd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3974
scontext=user_u:system_r:rpcd_t:s0 sgid=0 subj=user_u:system_r:rpcd_t:s0 suid=0
tclass=dir tcontext=system_u:object_r:sysctl_fs_t:s0 tty=(none) uid=0


[root@localhost ~]#

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-29.fc7
authconfig-gtk-5.3.15-1.fc7

How reproducible:
haven't tried, but presumably always

Comment 1 Andre Robatino 2007-08-01 04:41:49 UTC
  Actually I think the relevant package is nfs-utils, so I'm changing the name
of the bug.  Both packages were in the same batch of updates, nfs-utils appeared
just before authconfig-gtk.

Comment 2 Daniel Walsh 2007-08-01 15:36:42 UTC
Fixed in selinux-policy-2.6.4-31

Comment 3 Andre Robatino 2007-08-13 18:33:23 UTC
  After updating to selinux-policy*2.6.4-30.fc7, I verified that this is fixed
by reverting to the original versions of nfs-utils and nfs-utils-lib and
updating without the setroubleshoot error.  Please close.  I would do it but I'm
confused regarding the difference between "CURRENTRELEASE" and "ERRATA", so I
don't know which to use here.  When is it appropriate to use each one?

Comment 4 Thomas Carlson 2007-08-15 03:29:19 UTC
I've pasted in the text from setroubleshoot browser that popped up tonight in
F7. Hope this helps. 

Summary
SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to (sysctl_fs_t).

Detailed Description
SELinux denied access requested by /sbin/rpc.statd. It is not expected that this
access is required by /sbin/rpc.statd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for , restorecon -v If this does not work, there
is currently no automatic way to allow this access. Instead, you can generate a
local policy module to allow this access - see FAQ Or you can disable SELinux
protection altogether. Disabling SELinux protection is not recommended. Please
file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:rpcd_tTarget
Context:  system_u:object_r:sysctl_fs_tTarget 
Objects:  None [ dir ]Affected RPM Packages:  nfs-utils-1.1.0-1.fc7 [application]
Policy RPM:  selinux-policy-2.6.4-30.fc7Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin
Name:  plugins.catchall_fileHost Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.22.1-41.fc7 #1 SMP Fri Jul 27
18:10:34 EDT 2007 i686 i686
Alert Count:  1
First Seen:  Tue 14 Aug 2007 07:07:36 PM PDT
Last Seen:  Tue 14 Aug 2007 07:07:36 PM PDTLocal
ID:  614e5e67-e156-44d0-9465-7ed0c681624a
Line Numbers:
  
Raw Audit Messages :avc: denied { search } for comm="rpc.statd" egid=0 euid=0
exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=3070
scontext=system_u:system_r:rpcd_t:s0 sgid=0 subj=system_u:system_r:rpcd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:sysctl_fs_t:s0 tty=(none) uid=0 

Here is the output of rpm -q for the packages...

rpm -q authconfig-gtk
authconfig-gtk-5.3.15-1.fc7

rpm -q selinux-policy
selinux-policy-2.6.4-33.fc7



Comment 5 Andre Robatino 2007-08-15 03:42:03 UTC
  I mistakenly said above that the problem was fixed with
selinux-policy*2.6.4-30.fc7 when it was actually selinux-policy*2.6.4-33.fc7
(which was released that day).  It looks like you still had the old version
selinux-policy-2.6.4-30.fc7 installed when you got this error (note that comment
#2 says it is fixed in selinux-policy-2.6.4-31), so I still think this can be
closed.  Mr. Walsh, when closing this, could you also answer my question in
comment #3?

Comment 6 Daniel Walsh 2007-08-15 10:26:26 UTC
I close Fedora bugs with CurrentRelease.  Errata is used for RHEL or Security
Releases?


Note You need to log in before you can comment on or make changes to this bug.