Bug 532506 - gcj-dbtool: Permission denied (SELinux issue)
Summary: gcj-dbtool: Permission denied (SELinux issue)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-02 16:52 UTC by Andrew Overholt
Modified: 2009-12-23 14:16 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-23 14:16:54 UTC
Type: ---


Attachments (Terms of Use)

Description Andrew Overholt 2009-11-02 16:52:26 UTC
Description of problem:
gcj-dbtool can't run with SELinux = Enforcing

Version-Release number of selected component (if applicable):
$ getenforce
Enforcing
$ rpm -q selinux-policy
selinux-policy-3.6.32-35.fc12.noarch
$ rpm -qf `which gcj-dbtool`
libgcj-4.4.2-7.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1. yum install swing-layout
  
Actual results:
[... here I'm removing it; the result is the same ...]
  Erasing        : swing-layout- 1.0.3-4.fc12.x86_64
/usr/bin/rebuild-gcj-db: line 6: /usr/bin/gcj-dbtool: Permission denied
/usr/bin/rebuild-gcj-db: line 6: /usr/bin/gcj-dbtool: Permission denied
dirname: missing operand
Try `dirname --help' for more information.
mkdir: missing operand
Try `mkdir --help' for more information.
/usr/bin/rebuild-gcj-db: line 13: /usr/bin/gcj-dbtool: Permission denied
xargs: /usr/bin/gcj-dbtool: Permission denied
/usr/bin/rebuild-gcj-db: line 6: /usr/bin/gcj-dbtool: Permission denied

If I setenforce=0 and re-run the above transaction, I get no errors.

Expected results:
No errors

Additional info:

I'm running SELinux = enforcing

See also:

https://www.redhat.com/archives/fedora-test-list/2009-November/msg00040.html

Comment 1 Adam Williamson 2009-11-02 16:58:53 UTC
I saw some rather similar messages when updating last night:

  Updating       : libgcj-4.4.2-7.fc12.x86_64                            16/220 
/var/tmp/rpm-tmp.e4hq6h: line 3: /usr/bin/gij: Permission denied

  Updating       : 1:openoffice.org-impress-core-3.1.1-19.14.fc12.x86    33/220 
/usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied
  Updating       : 1:openoffice.org-presenter-screen-3.1.1-19.14.fc12    34/220 
/usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied
/usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/uno: line 44: /usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/javaldx: Permission denied

  Updating       : 1:openoffice.org-draw-core-3.1.1-19.14.fc12.x86_64    56/220 
/usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied
  Updating       : 1:openoffice.org-pdfimport-3.1.1-19.14.fc12.x86_64    57/220 
/usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied
/usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/uno: line 44: /usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/javaldx: Permission denied

I notice that all the problematic commands seem to be Java-related...

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 2 Jakub Jelinek 2009-11-02 17:04:09 UTC
There have been no libjava/gcc-java related changes in the last few months and from what I've seen reported gij is properly labeled with java_exec_t, so I bet this is a selinux policy issue.

Comment 3 Adam Williamson 2009-11-02 17:07:44 UTC
despite what I said on the list (to assign this to the package with the problematic executables), on second thoughts I guess it's probably SELinux related...CCing Dan. Dan?

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 4 Adam Williamson 2009-11-02 17:07:54 UTC
heh, jinx!

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 5 Jakub Jelinek 2009-11-02 17:28:56 UTC
On F11 in F12 mock chroot latest gij shows:
[pid 24810] statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
[pid 24810] open("/tmp/ffibvudJI", O_RDWR|O_CREAT|O_EXCL, 0600) = 8
[pid 24810] unlink("/tmp/ffibvudJI")    = 0
[pid 24810] ftruncate(8, 4096)          = 0
[pid 24810] mmap(NULL, 4096, PROT_READ|PROT_EXEC, MAP_SHARED, 8, 0) = 0x7f5733419000
[pid 24810] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 8, 0) = 0x7f5733418000
which looks correct.  So, either something is wrong in the policy, or selinuxfs magic changed (or isn't mounted at /selinux).

Comment 6 Daniel Walsh 2009-11-02 17:48:32 UTC
I just tried both updates and I am seeing neither problem.

rpm -q selinux-policy
selinux-policy-3.6.32-38.fc12.noarch


What policy are you trying this with?

Comment 7 Adam Williamson 2009-11-02 18:11:59 UTC
I was on selinux-policy-3.6.32-35.fc12.noarch . Neither 36, 37 nor 38 has been tagged for F12 final, so none of them is in the F12 repos at present. If you think these builds should be in F12 final, you should file a tag request...ah, I see there's one for 37 - https://fedorahosted.org/rel-eng/ticket/2916 - but it hasn't been accepted yet.

I've updated to 38, I'll stick some feedback on the tag request later. Would you expect this to have been broken in 35 and fixed by one of the changes since?

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 8 Daniel Walsh 2009-11-02 18:51:36 UTC
No, but I just wanted to see why it does not happen on my machine.

yum reinstall swing-layout

Comment 9 Adam Williamson 2009-11-02 19:07:07 UTC
[root@adam Fedora]# yum reinstall swing-layout
Loaded plugins: dellsysidplugin2, fastestmirror, presto, refresh-packagekit
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * rawhide: mirrors.tummy.com
 * rpmfusion-free-rawhide: mirrors.tummy.com
 * rpmfusion-nonfree-rawhide: mirrors.tummy.com
No Match for argument: swing-layout
Package(s) swing-layout available, but not installed.
Nothing to do
[root@adam Fedora]# rpm -q swing-layout
package swing-layout is not installed

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 10 Daniel Walsh 2009-11-02 19:11:04 UTC
Try

yum install swing-layout

Comment 11 Adam Williamson 2009-11-02 19:19:01 UTC
oh, sorry, now I see what you're trying to do, that was the OP's reproduction case. trying...

that completed with no errors. I'm running selinux-policy -38 now, and I've rebooted since I had my problems with openoffice.org-related components (see my comment).

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 12 Bug Zapper 2009-11-16 14:53:59 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.