Bug 477743 - memcached-selinux and audit denies (memcached works, but memcached-selinux doesn't)
memcached-selinux and audit denies (memcached works, but memcached-selinux do...
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: memcached (Show other bugs)
el5
All Linux
low Severity medium
: ---
: ---
Assigned To: Paul Lindner
Fedora Extras Quality Assurance
ActualBug
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-23 04:02 EST by Jarkko
Modified: 2010-04-26 19:25 EDT (History)
5 users (show)

See Also:
Fixed In Version: memcached-1.4.5-1.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-26 19:25:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jarkko 2008-12-23 04:02:49 EST
Description of problem: memcached-selinux can't be used (memcached works when only the memcached package is installed as then there's no policy in use for memcached) because it causes three audit denies.

Version-Release number of selected component (if applicable): memcached-selinux-1.2.5-2.el5

Actual results: "service memcached start" says OK, but actually fails as "service memcached status" reports "memcached dead but subsys locked".

Expected results: memcached starting and working with the selinux policy package (memcached-selinux).


Additional info
---------------

Here are the denies:

Dec 23 10:47:47 web kernel: audit(1230022067.059:11): avc:  denied  { create } for  pid=9882 comm="memcached" scontext=root:system_r:memcached_t:s0 tcontext=root:system_r:memcached_t:s0 tclass=netlink_route_socket
Dec 23 10:47:47 web kernel: audit(1230022067.063:12): avc:  denied  { create } for  pid=9882 comm="memcached" scontext=root:system_r:memcached_t:s0 tcontext=root:system_r:memcached_t:s0 tclass=netlink_route_socket
Dec 23 10:47:47 web kernel: audit(1230022067.063:13): avc:  denied  { name_bind } for  pid=9882 comm="memcached" src=11211 scontext=root:system_r:memcached_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

And here's what audit2allow says about them:

#============= memcached_t ==============
allow memcached_t port_t:udp_socket name_bind;
allow memcached_t self:netlink_route_socket create;
Comment 1 Paul Lindner 2009-07-24 02:00:08 EDT
I'm not an selinux expert here, and the patch for that was contributed.  Can anyone help out?
Comment 2 Fedora Update System 2010-04-06 14:38:32 EDT
memcached-1.4.5-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5
Comment 3 Jarkko 2010-04-07 05:01:53 EDT
# yum localupdate memcached-1.4.5-1.el5.i386.rpm 
Setting up Local Package Process
Examining memcached-1.4.5-1.el5.i386.rpm: memcached-1.4.5-1.el5.i386
Marking memcached-1.4.5-1.el5.i386.rpm as an update to memcached-1.2.8-1.el5.i386
Resolving Dependencies
--> Running transaction check
--> Processing Dependency: memcached = 1.2.8-1.el5 for package: memcached-selinux
---> Package memcached.i386 0:1.4.5-1.el5 set to be updated
--> Processing Dependency: libevent-1.4.so.2 for package: memcached
--> Finished Dependency Resolution
memcached-selinux-1.2.8-1.el5.i386 from installed has depsolving problems
  --> Missing Dependency: memcached = 1.2.8-1.el5 is needed by package memcached-selinux-1.2.8-1.el5.i386 (installed)
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386 has depsolving problems
  --> Missing Dependency: libevent-1.4.so.2 is needed by package memcached-1.4.5-1.el5.i386 (/memcached-1.4.5-1.el5.i386)

Packages skipped because of dependency problems:
    memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386


# yum remove memcached-selinux
...
Removed:
  memcached-selinux.i386 0:1.2.8-1.el5


# yum localupdate memcached-1.4.5-1.el5.i386.rpm 
Setting up Local Package Process
Examining memcached-1.4.5-1.el5.i386.rpm: memcached-1.4.5-1.el5.i386
Marking memcached-1.4.5-1.el5.i386.rpm as an update to memcached-1.2.8-1.el5.i386
Resolving Dependencies
--> Running transaction check
---> Package memcached.i386 0:1.4.5-1.el5 set to be updated
--> Processing Dependency: libevent-1.4.so.2 for package: memcached
--> Finished Dependency Resolution
memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386 has depsolving problems
  --> Missing Dependency: libevent-1.4.so.2 is needed by package memcached-1.4.5-1.el5.i386 (/memcached-1.4.5-1.el5.i386)

Packages skipped because of dependency problems:
    memcached-1.4.5-1.el5.i386 from /memcached-1.4.5-1.el5.i386


EL5 has libevent-1.1a.so.1 but the package has been built against libevent-1.4.so.2 it seems...
Comment 4 Paul Lindner 2010-04-07 08:56:20 EDT
we're rebuilding for EL-5.5 which has libevent 1.4, sadly there's no way to generate an RPM for EL-5.4 now...

See the big long thread over at https://bugzilla.redhat.com/show_bug.cgi?id=563985
Comment 5 Fedora Update System 2010-04-07 18:17:17 EDT
memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update memcached'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5
Comment 6 Fedora Update System 2010-04-19 19:22:41 EDT
memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update memcached'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/memcached-1.4.5-1.el5
Comment 7 Fedora Update System 2010-04-26 19:25:11 EDT
memcached-1.4.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.