Bug 864931 - SELinux is preventing firewalld from 'getattr' accesses on the directory /var/lib/rpm.
SELinux is preventing firewalld from 'getattr' accesses on the directory /var...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:3862bf8d7a87bc2c38ea5481de4...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-10 08:25 EDT by Ernesto
Modified: 2012-12-20 10:36 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:36:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-10 08:25 EDT, Ernesto
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-10 08:25 EDT, Ernesto
no flags Details

  None (edit)
Description Ernesto 2012-10-10 08:25:03 EDT
Additional info:
libreport version: 2.0.15
kernel:         3.6.1-1.fc18.x86_64

description:
:SELinux is preventing firewalld from 'getattr' accesses on the directory /var/lib/rpm.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If cree que de manera predeterminada, firewalld debería permitir acceso getattr sobre  rpm directory.     
:Then debería reportar esto como un error.
:Puede generar un módulo de política local para permitir este acceso.
:Do
:permita el acceso momentáneamente executando:
:# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:firewalld_t:s0
:Target Context                system_u:object_r:rpm_var_lib_t:s0
:Target Objects                /var/lib/rpm [ dir ]
:Source                        firewalld
:Source Path                   firewalld
:Port                          <Desconocido>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc18.x86_64 #1 SMP Mon Oct
:                              8 17:19:09 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    2012-10-06 12:23:00 ART
:Last Seen                     2012-10-10 05:59:31 ART
:Local ID                      b5d4a0fa-36e0-43f2-9e1c-676c18129309
:
:Raw Audit Messages
:type=AVC msg=audit(1349859571.821:14): avc:  denied  { getattr } for  pid=620 comm="firewalld" path="/var/lib/rpm" dev="sda2" ino=1704188 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
:
:
:Hash: firewalld,firewalld_t,rpm_var_lib_t,dir,getattr
:
:audit2allow
:
:#============= firewalld_t ==============
:allow firewalld_t rpm_var_lib_t:dir getattr;
:
:audit2allow -R
:
:#============= firewalld_t ==============
:allow firewalld_t rpm_var_lib_t:dir getattr;
:
Comment 1 Ernesto 2012-10-10 08:25:07 EDT
Created attachment 624837 [details]
File: type
Comment 2 Ernesto 2012-10-10 08:25:10 EDT
Created attachment 624838 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-10-10 08:44:37 EDT
Does firewalld do anything with rpm?
Comment 4 Thomas Woerner 2012-10-10 08:51:11 EDT
No, besides providing rpm packages, there is no rpm use in firewalld.
Comment 5 Daniel Walsh 2012-10-10 09:08:04 EDT
Ernesto do you have a file system mounted at /var/lib/rpm?

Did this AVC happen during an update?
Comment 6 Ernesto 2012-10-10 11:26:58 EDT
Daniel, /var/lib/rpm is not a mountpoint (I hope that's what you are asking). It's inside my only EXT4 partition (/).
Yes, this was during a "yum update" from a terminal (I have uninstalled some time ago the graphical update notification thing, don't know if that's important).
Comment 7 Daniel Walsh 2012-10-10 14:49:42 EDT
Ok most likely this is a leak or something happening because the process was sitting in /var/lib/rpm when it got restarted.  I think I will just dontaudit this access in the future to prevent these random AVCs.
Comment 8 Daniel Walsh 2012-10-10 14:52:51 EDT
Fixed in selinux-policy-3.11.1-36.fc18.noarch
Comment 9 Fedora Update System 2012-10-11 05:05:08 EDT
selinux-policy-3.11.1-36.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-36.fc18
Comment 10 Fedora Update System 2012-10-11 13:23:43 EDT
Package selinux-policy-3.11.1-36.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-36.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15934/selinux-policy-3.11.1-36.fc18
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-12-20 10:36:04 EST
selinux-policy-3.11.1-36.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.