Bug 864931 - SELinux is preventing firewalld from 'getattr' accesses on the directory /var/lib/rpm.
Summary: SELinux is preventing firewalld from 'getattr' accesses on the directory /var...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:3862bf8d7a87bc2c38ea5481de4...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-10 12:25 UTC by Ernesto
Modified: 2012-12-20 15:36 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-12-20 15:36:02 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-10 12:25 UTC, Ernesto
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-10 12:25 UTC, Ernesto
no flags Details

Description Ernesto 2012-10-10 12:25:03 UTC
Additional info:
libreport version: 2.0.15
kernel:         3.6.1-1.fc18.x86_64

description:
:SELinux is preventing firewalld from 'getattr' accesses on the directory /var/lib/rpm.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If cree que de manera predeterminada, firewalld debería permitir acceso getattr sobre  rpm directory.     
:Then debería reportar esto como un error.
:Puede generar un módulo de política local para permitir este acceso.
:Do
:permita el acceso momentáneamente executando:
:# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:firewalld_t:s0
:Target Context                system_u:object_r:rpm_var_lib_t:s0
:Target Objects                /var/lib/rpm [ dir ]
:Source                        firewalld
:Source Path                   firewalld
:Port                          <Desconocido>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc18.x86_64 #1 SMP Mon Oct
:                              8 17:19:09 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    2012-10-06 12:23:00 ART
:Last Seen                     2012-10-10 05:59:31 ART
:Local ID                      b5d4a0fa-36e0-43f2-9e1c-676c18129309
:
:Raw Audit Messages
:type=AVC msg=audit(1349859571.821:14): avc:  denied  { getattr } for  pid=620 comm="firewalld" path="/var/lib/rpm" dev="sda2" ino=1704188 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
:
:
:Hash: firewalld,firewalld_t,rpm_var_lib_t,dir,getattr
:
:audit2allow
:
:#============= firewalld_t ==============
:allow firewalld_t rpm_var_lib_t:dir getattr;
:
:audit2allow -R
:
:#============= firewalld_t ==============
:allow firewalld_t rpm_var_lib_t:dir getattr;
:

Comment 1 Ernesto 2012-10-10 12:25:07 UTC
Created attachment 624837 [details]
File: type

Comment 2 Ernesto 2012-10-10 12:25:10 UTC
Created attachment 624838 [details]
File: hashmarkername

Comment 3 Daniel Walsh 2012-10-10 12:44:37 UTC
Does firewalld do anything with rpm?

Comment 4 Thomas Woerner 2012-10-10 12:51:11 UTC
No, besides providing rpm packages, there is no rpm use in firewalld.

Comment 5 Daniel Walsh 2012-10-10 13:08:04 UTC
Ernesto do you have a file system mounted at /var/lib/rpm?

Did this AVC happen during an update?

Comment 6 Ernesto 2012-10-10 15:26:58 UTC
Daniel, /var/lib/rpm is not a mountpoint (I hope that's what you are asking). It's inside my only EXT4 partition (/).
Yes, this was during a "yum update" from a terminal (I have uninstalled some time ago the graphical update notification thing, don't know if that's important).

Comment 7 Daniel Walsh 2012-10-10 18:49:42 UTC
Ok most likely this is a leak or something happening because the process was sitting in /var/lib/rpm when it got restarted.  I think I will just dontaudit this access in the future to prevent these random AVCs.

Comment 8 Daniel Walsh 2012-10-10 18:52:51 UTC
Fixed in selinux-policy-3.11.1-36.fc18.noarch

Comment 9 Fedora Update System 2012-10-11 09:05:08 UTC
selinux-policy-3.11.1-36.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-36.fc18

Comment 10 Fedora Update System 2012-10-11 17:23:43 UTC
Package selinux-policy-3.11.1-36.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-36.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15934/selinux-policy-3.11.1-36.fc18
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2012-12-20 15:36:04 UTC
selinux-policy-3.11.1-36.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.