Bug 492552 - SELinux is preventing dccproc (dcc_client_t)
SELinux is preventing dccproc (dcc_client_t)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-27 08:23 EDT by Eddie Lania
Modified: 2009-06-08 08:41 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-08 08:41:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eddie Lania 2009-03-27 08:23:47 EDT
Description of problem: setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 13:20:56 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 13:20:56 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e


Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-53.fc10.noarch
libselinux-2.0.78-1.fc10.i386
libselinux-utils-2.0.78-1.fc10.i386
libselinux-python-2.0.78-1.fc10.i386
selinux-policy-targeted-3.5.13-53.fc10.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:
DDC not alowed by SELinux

Expected results:
DDC working properly.

Additional info:
Comment 1 Daniel Walsh 2009-03-27 08:55:11 EDT
Miroslav please add

/var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0

Eddie, if you add this context until we get updated policy your app should work

chcon -R -t dcc_var_t /var/lib/dcc
Comment 2 Eddie Lania 2009-03-29 15:55:49 EDT
I did what you said. But I am still seeing these messages:

Mar 29 04:51:49 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 05:10:03 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 07:08:40 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 10:02:30 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 13:06:54 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 16:02:29 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 18:01:51 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 21:38:10 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Comment 3 Miroslav Grepl 2009-03-30 07:53:51 EDT
Dan, 
probably we should also add

manage_dirs_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
manage_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
Comment 4 Daniel Walsh 2009-03-30 10:28:25 EDT
The only question I have is whether this access is needed or is the a leaked file descriptor?  Is this a fedora package?  dcc_client?
Comment 5 Eddie Lania 2009-03-30 13:02:34 EDT
Sorry, my bad, it is not. However it used to be in the past.

DCC is used for spamfiltering although it is by default disabled in spamassassin:

/etc/mail/spamassassin/v310.pre:

# DCC - perform DCC message checks.
#
# DCC is disabled here because it is not open source.  See the DCC
# license for more details.
#
#loadplugin Mail::SpamAssassin::Plugin::DCC


It is however a great addition to spamassassin and thatswhy I downloaded and compiled the dcc package and enabled it to be used by spamassassin.

Is that a problem?

Regards,

Eddie.
Comment 6 Daniel Walsh 2009-03-30 13:21:03 EDT
No this is not a problem, I just do not know if the dcc_client needs to be able to read/write the map file or this is just the service leaking an open file descriptor.  (I actually know almost nothing about dcc.)
Comment 7 Eddie Lania 2009-03-30 13:32:37 EDT
As far as i can tell, it should be read/writable

It is used to map the dcc servers and regularly updated by the tool itself.
Comment 8 Eddie Lania 2009-03-30 13:43:19 EDT
From the dcc homepage: http://www.dcc-servers.net/dcc/


DCC clients pick the nearest working DCC server using a small shared or
     memory mapped file, /var/lib//dcc/map.  It contains server names, port num-
     bers, passwords, recent performance measures, and so forth.  This file
     allows clients to use quick retransmission timeouts and to waste little
     time on servers that have temporarily stopped working or become unreach-
     able.  The utility program cdcc(8) is used to maintain this file as well
     as to check the health of servers.

Cdcc is used to clear, control, and query the control file used by Dis-
     tributed Checksum Clearinghouse clients such as dccm(8).  The host names,
     UDP port numbers, IDs, and passwords local clients use to talk to servers
     as well as IP addresses, round trip times, and other information are con-
     tained in the map file.  While cdcc is set-UID, it uses the real UID only
     when accessing the map file.  It refuses to display sensitive information
     such as passwords unless the real UID is the same as the effective UID.
     Note that cdcc needs to be set to a UID that can read and write the map
     file, but that UID need not be 0.
Comment 9 Daniel Walsh 2009-03-30 14:05:43 EDT
Ok are there any other files in that directory, That the client should not be able to write?
Comment 10 Eddie Lania 2009-03-30 14:40:35 EDT
(In reply to comment #9)
> Ok are there any other files in that directory, That the client should not be
> able to write?  

The ./map file seems to be the only file that needs to be accessed by the client.

[root@ls2ka dcc]# ls -lisa
total 80
1677159 4 drwxr-xr-x  5 root bin  4096 2009-03-02 11:31 .
1267282 4 drwxr-xr-x 48 root root 4096 2009-03-17 19:49 ..
1677203 4 drwxr-xr-x  3 root root 4096 2009-03-02 11:31 build
1677192 4 drwxr-xr-x  2 root bin  4096 2009-03-02 11:31 cgi-bin
1677161 8 -rw-r--r--  1 root bin  5452 2009-03-02 11:28 dcc_conf
1677158 8 -rw-r--r--  1 root root 5452 2009-03-02 11:31 dcc_conf-new
1677162 4 -rw-r--r--  1 root bin   797 2009-03-02 11:28 flod
1677163 4 -rw-r--r--  1 root bin   427 2009-03-02 11:28 grey_flod
1677165 4 -rw-r--r--  1 root bin   496 2009-03-02 11:28 grey_whitelist
1677168 4 -rw-------  1 root root 2430 2009-03-02 11:28 ids
1677160 4 drwx--x---  2 root bin  4096 2009-03-02 11:28 log
1677169 8 -rw-------  1 root root 7564 2009-03-30 20:35 map
1677170 4 -rw-------  1 root root  403 2009-03-02 11:28 map.txt
1677166 8 -rw-r--r--  1 root bin  4138 2009-03-02 11:28 whiteclnt
1677167 4 -rw-r--r--  1 root bin  1667 2009-03-02 11:28 whitecommon
1677164 4 -rw-r--r--  1 root bin   864 2009-03-02 11:28 whitelist
[root@ls2ka dcc]# pwd
/var/lib/dcc
Comment 11 Miroslav Grepl 2009-04-03 09:58:41 EDT
Eddie, 

could you also try to execute

# chcon -t dcc_client_map_t /var/lib/dcc/map


It should work.
Comment 12 Eddie Lania 2009-04-06 04:27:02 EDT
Yes, I believe it works.
Comment 13 Miroslav Grepl 2009-04-07 09:32:03 EDT
Fixed in selinux-policy-3.5.13-55.fc10
Comment 14 Eddie Lania 2009-06-06 03:46:20 EDT
close bug?

Note You need to log in before you can comment on or make changes to this bug.