Bug 477743 - memcached-selinux and audit denies (memcached works, but memcached-selinux doesn't)
Summary: memcached-selinux and audit denies (memcached works, but memcached-selinux do...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: memcached
Version: el5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Paul Lindner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: ActualBug
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-23 09:02 UTC by Jarkko
Modified: 2010-04-26 23:25 UTC (History)
5 users (show)

Fixed In Version: memcached-1.4.5-1.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-26 23:25:20 UTC


Attachments (Terms of Use)

Description Jarkko 2008-12-23 09:02:49 UTC
Description of problem: memcached-selinux can't be used (memcached works when only the memcached package is installed as then there's no policy in use for memcached) because it causes three audit denies.

Version-Release number of selected component (if applicable): memcached-selinux-1.2.5-2.el5

Actual results: "service memcached start" says OK, but actually fails as "service memcached status" reports "memcached dead but subsys locked".

Expected results: memcached starting and working with the selinux policy package (memcached-selinux).


Additional info
---------------

Here are the denies:

Dec 23 10:47:47 web kernel: audit(1230022067.059:11): avc:  denied  { create } for  pid=9882 comm="memcached" scontext=root:system_r:memcached_t:s0 tcontext=root:system_r:memcached_t:s0 tclass=netlink_route_socket
Dec 23 10:47:47 web kernel: audit(1230022067.063:12): avc:  denied  { create } for  pid=9882 comm="memcached" scontext=root:system_r:memcached_t:s0 tcontext=root:system_r:memcached_t:s0 tclass=netlink_route_socket
Dec 23 10:47:47 web kernel: audit(1230022067.063:13): avc:  denied  { name_bind } for  pid=9882 comm="memcached" src=11211 scontext=root:system_r:memcached_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

And here's what audit2allow says about them:

#============= memcached_t ==============
allow memcached_t port_t:udp_socket name_bind;
allow memcached_t self:netlink_route_socket create;

Comment 1 Paul Lindner 2009-07-24 06:00:08 UTC
I'm not an selinux expert here, and the patch for that was contributed.  Can anyone help out?

Comment 2 Fedora Update System 2010-04-06 18:38:32 UTC
memcached-1.4.5-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5

Comment 3 Jarkko 2010-04-07 09:01:53 UTC
# yum localupdate memcached-1.4.5-1.el5.i386.rpm 
Setting up Local Package Process
Examining memcached-1.4.5-1.el5.i386.rpm: memcached-1.4.5-1.el5.i386
Marking memcached-1.4.5-1.el5.i386.rpm as an update to memcached-1.2.8-1.el5.i386
Resolving Dependencies
--> Running transaction check
--> Processing Dependency: memcached = 1.2.8-1.el5 for package: memcached-selinux
---> Package memcached.i386 0:1.4.5-1.el5 set to be updated
--> Processing Dependency: libevent-1.4.so.2 for package: memcached
--> Finished Dependency Resolution
memcached-selinux-1.2.8-1.el5.i386 from installed has depsolving problems
  --> Missing Dependency: memcached = 1.2.8-1.el5 is needed by package memcached-selinux-1.2.8-1.el5.i386 (installed)
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386 has depsolving problems
  --> Missing Dependency: libevent-1.4.so.2 is needed by package memcached-1.4.5-1.el5.i386 (/memcached-1.4.5-1.el5.i386)

Packages skipped because of dependency problems:
    memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386


# yum remove memcached-selinux
...
Removed:
  memcached-selinux.i386 0:1.2.8-1.el5


# yum localupdate memcached-1.4.5-1.el5.i386.rpm 
Setting up Local Package Process
Examining memcached-1.4.5-1.el5.i386.rpm: memcached-1.4.5-1.el5.i386
Marking memcached-1.4.5-1.el5.i386.rpm as an update to memcached-1.2.8-1.el5.i386
Resolving Dependencies
--> Running transaction check
---> Package memcached.i386 0:1.4.5-1.el5 set to be updated
--> Processing Dependency: libevent-1.4.so.2 for package: memcached
--> Finished Dependency Resolution
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386 has depsolving problems
  --> Missing Dependency: libevent-1.4.so.2 is needed by package memcached-1.4.5-1.el5.i386 (/memcached-1.4.5-1.el5.i386)

Packages skipped because of dependency problems:
    memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386


EL5 has libevent-1.1a.so.1 but the package has been built against libevent-1.4.so.2 it seems...

Comment 4 Paul Lindner 2010-04-07 12:56:20 UTC
we're rebuilding for EL-5.5 which has libevent 1.4, sadly there's no way to generate an RPM for EL-5.4 now...

See the big long thread over at https://bugzilla.redhat.com/show_bug.cgi?id=563985

Comment 5 Fedora Update System 2010-04-07 22:17:17 UTC
memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update memcached'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5

Comment 6 Fedora Update System 2010-04-19 23:22:41 UTC
memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update memcached'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5

Comment 7 Fedora Update System 2010-04-26 23:25:11 UTC
memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.