Bug 722579 - SELinux prevents ricci from installing RPMs.
Summary: SELinux prevents ricci from installing RPMs.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.7
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-15 17:38 UTC by Brandon Perkins
Modified: 2012-02-21 05:47 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-2.4.6-318.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 746351 (view as bug list)
Environment:
Last Closed: 2012-02-21 05:47:43 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0158 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-02-20 14:53:50 UTC

Description Brandon Perkins 2011-07-15 17:38:17 UTC
Description of problem:
SELinux prevents ricci from installing RPMs.

Version-Release number of selected component (if applicable):
ricci-0.12.2-32.el5

How reproducible:
Always.

Steps to Reproduce:
1. Setup luci.
2. Install ricci and start it.
3. Add system to luci and tell it to install packages.
  
Actual results:
Luci gets stuck with "Node still being created" on the install step.

Expected results:
RPMs are installed.

Additional info:

Summary:

SELinux is preventing ricci-modrpm (ricci_modrpm_t) "create" to <Unknown>
(ricci_modrpm_t).

Detailed Description:

SELinux denied access requested by ricci-modrpm. It is not expected that this
access is required by ricci-modrpm and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:ricci_modrpm_t
Target Context                system_u:system_r:ricci_modrpm_t
Target Objects                None [ unix_dgram_socket ]
Source                        ricci-modrpm
Source Path                   /usr/libexec/ricci-modrpm
Port                          <Unknown>
Host                          rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.co
                              m
Source RPM Packages           ricci-0.12.2-32.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-316.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.co
                              m
Platform                      Linux rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.red
                              hat.com 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59
                              EDT 2011 x86_64 x86_64
Alert Count                   4
First Seen                    Fri Jul 15 12:57:52 2011
Last Seen                     Fri Jul 15 12:57:53 2011
Local ID                      b4848e92-8759-4886-aae8-5871c4ddafb8
Line Numbers                  

Raw Audit Messages            

host=rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.com type=AVC msg=audit(1310749073.49:144): avc:  denied  { create } for  pid=5490 comm="ricci-modrpm" scontext=system_u:system_r:ricci_modrpm_t:s0 tcontext=system_u:system_r:ricci_modrpm_t:s0 tclass=unix_dgram_socket

host=rhel5pool-01.dhcp151-178.mpc.lab.eng.bos.redhat.com type=SYSCALL msg=audit(1310749073.49:144): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7db items=0 ppid=5488 pid=5490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci-modrpm" exe="/usr/libexec/ricci-modrpm" subj=system_u:system_r:ricci_modrpm_t:s0 key=(null)

Comment 2 Miroslav Grepl 2011-09-29 11:28:59 UTC
Fixed in selinux-policy-2.4.6-317.el5

Comment 4 Brandon Perkins 2011-10-04 17:32:11 UTC
The issue described in the original description appears to be fixed (using selinux-policy-2.4.6-317.el5 and ricci-0.12.2-33.el5).  However, that then exposes the next issue.  While not related to the original installation of RPMs, which is in fact working now, it appears ricci is unable to start the daemons for a similar reason.  I am happy to open this as a new bug if that's preferred.





Summary:

SELinux is preventing ricci-modservic (ricci_modservice_t) "create" to <Unknown>
(ricci_modservice_t).

Detailed Description:

SELinux denied access requested by ricci-modservic. It is not expected that this
access is required by ricci-modservic and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:ricci_modservice_t
Target Context                system_u:system_r:ricci_modservice_t
Target Objects                None [ unix_dgram_socket ]
Source                        ricci-modservic
Source Path                   /usr/libexec/ricci-modservice
Port                          <Unknown>
Host                          bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
Source RPM Packages           ricci-0.12.2-33.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-317.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
Platform                      Linux
                              bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
                              2.6.18-274.3.1.el5 #1 SMP Fri Aug 26 18:49:02 EDT
                              2011 x86_64 x86_64
Alert Count                   4
First Seen                    Tue Oct  4 13:26:46 2011
Last Seen                     Tue Oct  4 13:26:46 2011
Local ID                      932f9ada-a4cc-4ca7-8149-02ce9f8b91ce
Line Numbers                  

Raw Audit Messages            

host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=AVC msg=audit(1317749206.35:39): avc:  denied  { create } for  pid=19400 comm="ricci-modservic" scontext=system_u:system_r:ricci_modservice_t:s0 tcontext=system_u:system_r:ricci_modservice_t:s0 tclass=unix_dgram_socket

host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=SYSCALL msg=audit(1317749206.35:39): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7db items=0 ppid=19398 pid=19400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci-modservic" exe="/usr/libexec/ricci-modservice" subj=system_u:system_r:ricci_modservice_t:s0 key=(null)

Comment 5 Miroslav Grepl 2011-10-05 05:05:21 UTC
Ok, this is a different AVC msg.

Comment 6 Jan Pokorný [poki] 2011-10-14 21:28:14 UTC
SELinux prevents ricci from starting/stopping services -> cloned bug 746351

Comment 9 Miroslav Grepl 2011-10-20 14:37:42 UTC
Fixed in selinux-policy-2.4.6-318.el5

Comment 13 errata-xmlrpc 2012-02-21 05:47:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html


Note You need to log in before you can comment on or make changes to this bug.