Bug 605362 - SELinux is preventing /usr/bin/updatedb "getattr" access on /var/named/chroot/var/named/chroot/dev/random.
Summary: SELinux is preventing /usr/bin/updatedb "getattr" access on /var/named/c...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:8594ff2eb1c...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-06-17 18:05 UTC by arth
Modified: 2010-06-19 01:43 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2010-06-18 09:04:54 UTC

Attachments (Terms of Use)

Description arth 2010-06-17 18:05:38 UTC

SELinux is preventing /usr/bin/updatedb "getattr" access on

Detailed Description:

SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named/chroot/var/named/chroot/dev/random [
                              chr_file ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mlocate-0.22.2-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-116.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) #1 SMP
                              Fri May 28 04:30:39 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 17 Jun 2010 03:15:58 AM EDT
Last Seen                     Thu 17 Jun 2010 03:15:58 AM EDT
Local ID                      4b85881d-672b-4dfd-ac8a-3faa7c2c5d59
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1276758958.483:60402): avc:  denied  { getattr } for  pid=4078 comm="updatedb" path="/var/named/chroot/var/named/chroot/dev/random" dev=sda3 ino=23529858 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1276758958.483:60402): arch=c000003e syscall=6 success=no exit=-13 a0=7d3bf9 a1=7fffaaebef20 a2=7fffaaebef20 a3=8028 items=0 ppid=4072 pid=4078 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=321 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,updatedb,locate_t,named_zone_t,chr_file,getattr
audit2allow suggests:

#============= locate_t ==============
#!!!! This avc is allowed in the current policy

allow locate_t named_zone_t:chr_file getattr;

Comment 1 arth 2010-06-17 18:09:48 UTC
(Please ignore the '!!!! This avc is allowed.." above -- that's due to a local rule allowing it which was inserted before running selinux-troubleshooter)

The problem occurs when having the mlocate package installed at the same time as the bind-chroot package.

Comment 2 Miroslav Grepl 2010-06-18 09:04:54 UTC
You need to do the following commands

# semanage fcontext -a -e /var/named/chroot /var/named/chroot/var/named/chroot
# restorecon -R -v /var/named/chroot/var/named/

This will tell SELinux to label everything under /var/named/chroot/var/named/chroot as if it was under /var/named/chroot/.

Comment 3 arth 2010-06-19 01:43:23 UTC
Miroslav:  That won't help.

/etc/selinux/targeted/context/files/file_contexts has the following rules:

/var/named/chroot/var/named(/.*)?       system_u:object_r:named_zone_t:s0
/var/named/chroot/dev/random    -c      system_u:object_r:random_device_t:s0

Since this is /var/named/chroot/var/named/chroot/dev/random, the first rule gets applied.  Which is why the file becomes named_zone_t instead of random_device_t.

The reason why it's /var/named/chroot/var/named/chroot/dev/random and not /var/named/chroot/dev/random as the selinux context rules expect, is because it's an upgrade from F10->F11->F2, and has a backwards pointing symlink that the F12 upgrade of bind-chroot followed.

In case someone else stumbles upon the same, the correct fix is to remove the symlink and move the subdirectories to where they are expected now (or mknod the /var/named/chroot/dev/* devices manually in the right place).

Note You need to log in before you can comment on or make changes to this bug.