Bug 969085 - SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory /home.
SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:741bca211a056ac533b7e4c89e1...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-30 11:39 EDT by Nerses Gevorgyan
Modified: 2013-10-25 07:39 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-25 07:39:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/etc/man_db.conf (5.05 KB, text/plain)
2013-06-03 15:00 EDT, Nerses Gevorgyan
no flags Details

  None (edit)
Description Nerses Gevorgyan 2013-05-30 11:39:09 EDT
Description of problem:
Regularly hapens in the FC18. If I'm not wrong that started to appear after some update. 
SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory /home.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mandb should be allowed search access on the home directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mandb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mandb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:home_root_t:s0
Target Objects                /home [ dir ]
Source                        mandb
Source Path                   /usr/bin/mandb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           man-db-2.6.3-2.fc18.i686
Target RPM Packages           filesystem-3.1-2.fc18.i686
Policy RPM                    selinux-policy-3.11.1-96.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.2-200.fc18.i686 #1 SMP Mon May
                              13 14:48:23 UTC 2013 i686 i686
Alert Count                   4
First Seen                    2013-05-27 11:34:03 EDT
Last Seen                     2013-05-30 10:28:03 EDT
Local ID                      3b144d29-28cd-4d93-9f0e-9852902fa24b

Raw Audit Messages
type=AVC msg=audit(1369924083.950:1924): avc:  denied  { search } for  pid=22850 comm="mandb" name="/" dev="sda3" ino=2 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir


type=SYSCALL msg=audit(1369924083.950:1924): arch=i386 syscall=stat64 success=no exit=ENOENT a0=bfd451a0 a1=bfd45264 a2=4e304000 a3=bfd451a0 items=0 ppid=22845 pid=22850 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=19 tty=(none) comm=mandb exe=/usr/bin/mandb subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null)

Hash: mandb,mandb_t,home_root_t,dir,search

audit2allow

#============= mandb_t ==============
allow mandb_t home_root_t:dir search;

audit2allow -R
require {
	type mandb_t;
}

#============= mandb_t ==============
files_search_home(mandb_t)


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.2-200.fc18.i686
type:           libreport
Comment 1 Daniel Walsh 2013-06-03 10:33:21 EDT
Do you have man pages in /root?

Is there any mention of root in /etc/man_db.conf

Probably could be dontaudited.

Might be a process looking at its homedir.
Comment 2 Nerses Gevorgyan 2013-06-03 14:57:44 EDT
(In reply to Daniel Walsh from comment #1)
> Do you have man pages in /root?
> 
No, I don't.

> Is there any mention of root in /etc/man_db.conf
> 
"grep -i root /etc/man_db.conf" gives an empty output.
Anyway, I'll attach my /etc/man_db.conf

> Probably could be dontaudited.
> 
> Might be a process looking at its homedir.
That's the question, why it is looking to home direct
ory at all?
Comment 3 Nerses Gevorgyan 2013-06-03 15:00:00 EDT
Created attachment 756468 [details]
/etc/man_db.conf
Comment 4 Colin Watson 2013-06-04 10:54:15 EDT
man-db has a configuration file in ~/.manpath.  I have no SELinux experience, but wouldn't that account for this?
Comment 5 Nerses Gevorgyan 2013-06-04 15:33:45 EDT
(In reply to Colin Watson from comment #4)
> man-db has a configuration file in ~/.manpath.  I have no SELinux
> experience, but wouldn't that account for this?

I don't have ~/.manpath file.
Comment 6 Colin Watson 2013-06-04 16:58:09 EDT
That's as may be, but man-db cannot possibly know that without looking for it.
Comment 7 Daniel Walsh 2013-06-04 17:11:06 EDT
Yes that would explain it.

f690b8bd3df43cf208a162b8aa0866d78b3a13c2 adds this to git.
8763880cc0441abf06383717f3426c4091535a65
Comment 8 Miroslav Grepl 2013-06-07 04:15:45 EDT
Back ported.

Note You need to log in before you can comment on or make changes to this bug.