663623 – SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown.

Bug 663623 - SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown.

Summary: SELinux is preventing mysql_indexes from unix_read, unix_write access on the ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	setroubleshoot-plugins
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:988f2769f14...
Depends On:	663584
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-16 12:39 UTC by Miroslav Grepl
Modified:	2012-07-27 13:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	663584
Environment:
Last Closed:	2012-07-27 13:21:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miroslav Grepl 2010-12-16 12:39:09 UTC

+++ This bug was initially created as a clone of Bug #663584 +++

SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mysql_indexes should be allowed unix_read unix_write access on the Unknown sem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:services_munin_plugin_t:s0
Target Context                unconfined_u:system_r:services_munin_plugin_t:s0
Target Objects                Unknown [ sem ]
Source                        mysql_indexes
Source Path                   mysql_indexes
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41
                              UTC 2010 x86_64 x86_64
Alert Count                   28
First Seen                    Thu 16 Dec 2010 10:40:05 CET
Last Seen                     Thu 16 Dec 2010 10:45:06 CET
Local ID                      b91c66b9-7afb-4de8-a0ce-f98011fcb75c

Raw Audit Messages
type=AVC msg=audit(1292492706.386:45854): avc:  denied  { unix_read unix_write } for  pid=9317 comm="mysql_tmp_table" key=1667461225  scontext=unconfined_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:system_r:services_munin_plugin_t:s0 tclass=sem

mysql_indexes,services_munin_plugin_t,services_munin_plugin_t,sem,unix_read,unix_write

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t self:sem { unix_read unix_write };


Sadly, the proposed solution:

You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

does not fix the issue.

--- Additional comment from mrunge on 2010-12-16 05:04:05 EST ---

The solution was proposed from new setroubleshoot-applet.

grep mysql_indexes /var/log/audit.... is empty. 

(the bug is: setroubleshoot applet suggests a solution, which does not fix the issue)

Comment 1 Daniel Walsh 2010-12-16 14:38:26 UTC

See if you audit.log has roled.

# grep mysql_indexes /var/log/audit/audit.log* | audit2allow -M mypol

Maybe a better solution would be 

ausearch -m avc -se mysql_indexes | audit2allow -M mypol

Comment 2 Matthias Runge 2010-12-16 14:53:53 UTC

[root@mrungexp ~]# ausearch -m avc -se mysql_indexes | audit2allow -M mypol
<no matches>
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te

Asking myself, if not something else is broken right now.
[root@mrungexp ~]# rpm -q audit
audit-2.0.4-4.fc14.x86_64

Comment 3 Daniel Walsh 2010-12-16 15:04:07 UTC

One more try

ausearch -m avc -se services_munin_plugin_t  | audit2allow -M mypol

Comment 4 Matthias Runge 2010-12-17 10:59:06 UTC

[root@mrungexp ~]# ausearch -m avc -se services_munin_plugin_t | audit2allow -m mypol

module mypol 1.0;

require {
	type unconfined_t;
	type services_munin_plugin_t;
	type cupsd_rw_etc_t;
	type user_tmpfs_t;
	type tmpfs_t;
	class sem { write associate read create unix_read unix_write };
	class shm { unix_read associate read create write getattr unix_write };
	class file { read write open };
}

#============= services_munin_plugin_t ==============
allow services_munin_plugin_t cupsd_rw_etc_t:file { read open };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t self:sem { write unix_read unix_write associate read create };
allow services_munin_plugin_t self:shm create;
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t self:shm { unix_read write getattr unix_write associate read };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t tmpfs_t:file { read write };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read };
#!!!! This avc is allowed in the current policy

allow services_munin_plugin_t user_tmpfs_t:file { read write };



After applying the resulting policy, it looks like those errors are gone now. 
Thank you!

Think this can be closed, I'm not sure, if this is a local config error or if it can be reproduced on other systems.

Comment 5 Daniel Walsh 2012-07-27 13:21:44 UTC

Since this version of Fedora is no longer supported I am closing this bugs.  If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.

Note You need to log in before you can comment on or make changes to this bug.