Bug 487570 - selinux denial to updateb for sagator
selinux denial to updateb for sagator
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: sagator (Show other bugs)
10
All Linux
low Severity low
: ---
: ---
Assigned To: Jan ONDREJ
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-26 13:58 EST by stanl
Modified: 2009-03-19 05:59 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-19 05:59:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description stanl 2009-02-26 13:58:27 EST
Description of problem:
SELinux is preventing updatedb (locate_t) "getattr" to /usr/share/sagator
(sagator_t).


Version-Release number of selected component (if applicable):
see below

How reproducible:
Has only happened today since running ./autorelabel on reboot yesterday.
Could be related to this bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=486685


Steps to Reproduce:
1. Not sure, probably related to the workaround I used to update sagator
2.
3.
  
Actual results:
Error below


Expected results:
no errors


Additional info:

Summary:

SELinux is preventing updatedb (locate_t) "getattr" to /usr/share/sagator
(sagator_t).

Detailed Description:

SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/share/sagator,

restorecon -v '/usr/share/sagator'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sagator_t:s0
Target Objects                /usr/share/sagator [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          fedora10.sata1
Source RPM Packages           mlocate-0.21.1-1
Target RPM Packages           sagator-core-1.1.1-1.fc10
Policy RPM                    selinux-policy-3.5.13-46.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     fedora10.sata1
Platform                      Linux fedora10.sata1
                              2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23
                              13:00:23 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 26 Feb 2009 04:19:27 AM MST
Last Seen                     Thu 26 Feb 2009 04:19:27 AM MST
Local ID                      426f3de5-58b5-44ee-960e-be069add3528
Line Numbers                  

Raw Audit Messages            

node=fedora10.sata1 type=AVC msg=audit(1235647167.100:13309): avc:  denied  { getattr } for  pid=16332 comm="updatedb" path="/usr/share/sagator" dev=sda6 ino=3050510 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sagator_t:s0 tclass=dir

node=fedora10.sata1 type=SYSCALL msg=audit(1235647167.100:13309): arch=c000003e syscall=6 success=no exit=-13 a0=1c6a4e9 a1=7fff37c16ca0 a2=7fff37c16ca0 a3=1c604e0 items=0 ppid=16326 pid=16332 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2482 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
Comment 1 Jan ONDREJ 2009-02-27 08:36:39 EST
I can't reproduce this on my system, trying to run "updatedb" manually, but still no audit messages in dmes/audit.log.

May be it's possible to avoid this by removing sagator-selinux package, but it will run sagator without selinux protection.

There are also more problems with current selinux policy and sagator's policy. Whole policy should be updated.
Comment 2 stanl 2009-02-27 13:49:42 EST
Your finding is interesting because the error has not repeated today.  The system has no selinux policy updates since that last in updates testing, I have not run any selinux commands.  

It seems to have self corrected.  If that changes, I'll update the ticket, but for now it seems to be fine.
Comment 3 Jan ONDREJ 2009-03-19 05:59:19 EDT
This bug is fixed upstream in sagator-1.2.0, but it's not easy to implement this in Fedora 10.

But I am seeing, that updatedb is running on my Fedora 10 box as unconfined_t, which can access sagator_*_t files, so there is no problem in current releases.

Closing this bug. Reopen it, if you still have problems.

Note You need to log in before you can comment on or make changes to this bug.