Bug 590234 - mrepo avc failure
mrepo avc failure
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On: 590233
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-08 05:01 EDT by Need Real Name
Modified: 2010-05-11 13:44 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-11 13:44:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2010-05-08 05:01:01 EDT
There is a bug in the mrepo init script that prevents it from working. See bug 

You need to comment out the first line in the start() function:

start() {
#    [ -x $exec ] || exit 5

Once that works, mrepo fails to start in enforcing mode. The following avc is given:

type=AVC msg=audit(1273309126.732:319): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.732:319): arch=c000003e syscall=4 success=no exit=-13 a0=7fffee7b692c a1=7fffee7b45f0 a2=7fffee7b45f0 a3=7fffee7b4370 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1273309126.732:320): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.732:320): arch=c000003e syscall=89 success=no exit=-13 a0=7fffee7b2550 a1=7fffee7b3560 a2=1000 a3=7fffee7b22b0 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1273309126.733:321): avc:  denied  { read } for  pid=1371 comm="mount" name="mrepo" dev=dm-2 ino=6347 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1273309126.733:321): arch=c000003e syscall=2 success=no exit=-13 a0=7f2d2af41880 a1=0 a2=7f2d2a365538 a3=7fffee7b3eb0 items=0 ppid=1370 pid=1371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="mount" exe="/bin/mount" subj=unconfined_u:system_r:mount_t:s0 key=(null)

-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/mrepo
Comment 1 Daniel Walsh 2010-05-10 14:04:44 EDT
Do you have a symbolic link in /var/ that mount is trying to read?
Comment 2 Need Real Name 2010-05-11 12:58:33 EDT
Ah. Yes. Forgot about that.

mrepo -> /var/lib/libvirt/boot/

All isos in one place.
Comment 3 Daniel Walsh 2010-05-11 13:44:30 EDT
You can add the rule using audit2allow.

# grep var /var/log/audit/audit.log | audit2allow -M mymrepo
# semodule -i mymrepo.pp

Note You need to log in before you can comment on or make changes to this bug.