Bug 663584 - SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown.
Summary: SELinux is preventing mysql_indexes from unix_read, unix_write access on the ...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:988f2769f14...
Depends On:
Blocks: 663623
TreeView+ depends on / blocked
 
Reported: 2010-12-16 09:47 UTC by Matthias Runge
Modified: 2011-05-26 20:26 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
: 663623 (view as bug list)
Environment:
Last Closed: 2011-05-26 20:26:49 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matthias Runge 2010-12-16 09:47:46 UTC
SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mysql_indexes should be allowed unix_read unix_write access on the Unknown sem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:services_munin_plugin_t:s0
Target Context                unconfined_u:system_r:services_munin_plugin_t:s0
Target Objects                Unknown [ sem ]
Source                        mysql_indexes
Source Path                   mysql_indexes
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41
                              UTC 2010 x86_64 x86_64
Alert Count                   28
First Seen                    Thu 16 Dec 2010 10:40:05 CET
Last Seen                     Thu 16 Dec 2010 10:45:06 CET
Local ID                      b91c66b9-7afb-4de8-a0ce-f98011fcb75c

Raw Audit Messages
type=AVC msg=audit(1292492706.386:45854): avc:  denied  { unix_read unix_write } for  pid=9317 comm="mysql_tmp_table" key=1667461225  scontext=unconfined_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:system_r:services_munin_plugin_t:s0 tclass=sem

mysql_indexes,services_munin_plugin_t,services_munin_plugin_t,sem,unix_read,unix_write

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t self:sem { unix_read unix_write };


Sadly, the proposed solution:

You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

does not fix the issue.

Comment 1 Matthias Runge 2010-12-16 10:04:05 UTC
The solution was proposed from new setroubleshoot-applet.

grep mysql_indexes /var/log/audit.... is empty. 

(the bug is: setroubleshoot applet suggests a solution, which does not fix the issue)

Comment 2 Miroslav Grepl 2010-12-16 12:40:24 UTC
Matthias, 
could you execute

# semanage permissive -a services_munin_plugin_t

and see if you get other avc messsages.

Comment 3 Daniel Walsh 2010-12-16 14:26:53 UTC
Mattieas, can you see if your audit.log rolled.

# grep mysql_indexes /var/log/audit/audit.log* | audit2allow -M mypol

Comment 4 Matthias Runge 2010-12-16 14:41:25 UTC
(In reply to comment #2)
> Matthias, 
> could you execute
> 
> # semanage permissive -a services_munin_plugin_t
> 
> and see if you get other avc messsages.

After executing semanage..
SELinux is preventing /usr/bin/perl from 'read, write' accesses on the semaphore Unknown.

Plugin: catchall 
you want to allow perl to have read write access on the Unknown semIf you believe that perl should be allowed read write access on the Unknown sem by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 5 Matthias Runge 2010-12-16 14:51:08 UTC
I'll do now the grep Daniel suggested. 

audit.log get's those entries:

mypol.te:

module mypol 1.0;

require {
        type unconfined_t;
        type services_munin_plugin_t;
        type user_tmpfs_t;
        type tmpfs_t;
        class sem { write associate read create unix_read unix_write };
        class shm { unix_read associate read write getattr unix_write };
        class file { read write };
}

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t self:sem { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t self:sem { unix_read create unix_write associate };
allow services_munin_plugin_t self:shm { write unix_read getattr unix_write associate read };
allow services_munin_plugin_t tmpfs_t:file { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t user_tmpfs_t:file { read write };



Executing 
# grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te

results in this error :-/

[root@mrungexp ~]# rpm -q policycoreutils-python
policycoreutils-python-2.0.83-33.5.fc14.x86_64

Comment 6 Miroslav Grepl 2010-12-16 15:36:21 UTC
Matthias,
do you know which mysql munin plugin causes these AVC?


I am trying to build this policy using

# make -f /usr/share/selinux/devel/Makefile

and works fine. 

# cat mypol.te
module mypol 1.0;

require {
        type unconfined_t;
        type services_munin_plugin_t;
        type user_tmpfs_t;
        type tmpfs_t;
        class sem { write associate read create unix_read unix_write };
        class shm { unix_read associate read write getattr unix_write };
        class file { read write };
}

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t self:sem { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t self:sem { unix_read create unix_write associate
};
allow services_munin_plugin_t self:shm { write unix_read getattr unix_write
associate read };
allow services_munin_plugin_t tmpfs_t:file { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:sem { unix_read read write
unix_write associate };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr
unix_write associate read };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t user_tmpfs_t:file { read write };




# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp


Note You need to log in before you can comment on or make changes to this bug.