Bug 590234 - mrepo avc failure
Summary: mrepo avc failure
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 590233
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-08 09:01 UTC by Need Real Name
Modified: 2010-05-11 17:44 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-05-11 17:44:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Need Real Name 2010-05-08 09:01:01 UTC 
There is a bug in the mrepo init script that prevents it from working. See bug 

You need to comment out the first line in the start() function:

start() {
#    [ -x $exec ] || exit 5

Once that works, mrepo fails to start in enforcing mode. The following avc is given:

type=AVC msg=audit(1273309126.732:319): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.732:319): arch=c000003e syscall=4 success=no exit=-13 a0=7fffee7b692c a1=7fffee7b45f0 a2=7fffee7b45f0 a3=7fffee7b4370 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1273309126.732:320): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.732:320): arch=c000003e syscall=89 success=no exit=-13 a0=7fffee7b2550 a1=7fffee7b3560 a2=1000 a3=7fffee7b22b0 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1273309126.733:321): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.733:321): arch=c000003e syscall=2 success=no exit=-13 a0=7f2d2af41880 a1=0 a2=7f2d2a365538 a3=7fffee7b3eb0 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)

-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/mrepo
Comment 1 Daniel Walsh 2010-05-10 18:04:44 UTC 
Do you have a symbolic link in /var/ that mount is trying to read?
Comment 2 Need Real Name 2010-05-11 16:58:33 UTC 
Ah. Yes. Forgot about that.

mrepo -> /var/lib/libvirt/boot/

All isos in one place.
Comment 3 Daniel Walsh 2010-05-11 17:44:30 UTC 
You can add the rule using audit2allow.

# grep var /var/log/audit/audit.log | audit2allow -M mymrepo
# semodule -i mymrepo.pp
Note You need to log in before you can comment on or make changes to this bug.