Bug 975895 - SELinux is preventing /usr/bin/mandb from 'remove_name' accesses on the directory #index.db#.
SELinux is preventing /usr/bin/mandb from 'remove_name' accesses on the direc...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-06-19 10:31 EDT by Ray Holme
Modified: 2013-08-19 11:37 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-100.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-14 22:53:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ray Holme 2013-06-19 10:31:29 EDT
Description of problem:
I tried the semodule fix and it did not work. In any case, this is the syttem space not mine and it is therefore a selinux bug.
SELinux is preventing /usr/bin/mandb from 'remove_name' accesses on the directory #index.db#.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mandb should be allowed remove_name access on the #index.db# directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep mandb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mandb_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:man_t:s0
Target Objects                #index.db# [ dir ]
Source                        mandb
Source Path                   /usr/bin/mandb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           man-db-2.6.3-2.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.5-201.fc18.x86_64 #1 SMP Tue
                              Jun 11 19:40:51 UTC 2013 x86_64 x86_64
Alert Count                   3
First Seen                    2013-06-17 08:47:11 EDT
Last Seen                     2013-06-19 07:40:12 EDT
Local ID                      6a5e05de-76a6-47ac-86b2-f5f8d068a43c

Raw Audit Messages
type=AVC msg=audit(1371642012.216:594): avc:  denied  { remove_name } for  pid=9189 comm="mandb" name="#index.db#" dev="dm-1" ino=2497614 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:man_t:s0 tclass=dir

type=AVC msg=audit(1371642012.216:594): avc:  denied  { rename } for  pid=9189 comm="mandb" name="#index.db#" dev="dm-1" ino=2497614 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:man_t:s0 tclass=file

type=AVC msg=audit(1371642012.216:594): avc:  denied  { unlink } for  pid=9189 comm="mandb" name="index.db" dev="dm-1" ino=2497656 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:man_t:s0 tclass=file

type=SYSCALL msg=audit(1371642012.216:594): arch=x86_64 syscall=rename success=yes exit=0 a0=19df8e0 a1=1b5b380 a2=6 a3=2aaaaaab items=0 ppid=9184 pid=9189 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=8 tty=(none) comm=mandb exe=/usr/bin/mandb subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null)

Hash: mandb,mandb_t,man_t,dir,remove_name


#============= mandb_t ==============
allow mandb_t man_t:dir remove_name;
allow mandb_t man_t:file { rename unlink };

audit2allow -R
require {
	type mandb_t;

#============= mandb_t ==============

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-201.fc18.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-06-19 15:42:23 EDT
Ray would you happen to know where this index.db is being created?

My index.db files are in /var/cache/man  which is labeled mandb_cache_t.

restorecon -R -v /var/cache/man

Should fix all labels under this dir.
Comment 2 Ray Holme 2013-06-20 08:07:34 EDT
Ran restorecon as directed by Daniel (and as per the troubleshooter).

however every time I boot again, I get about 5 trouble reports from mandb.

I will just ignore them, but really these should not happen.
Comment 3 Miroslav Grepl 2013-06-20 09:06:28 EDT
And where is your index.db located?
Comment 4 Ray Holme 2013-06-20 16:27:41 EDT
a find command finds tons of index.db(s) - I don't recall the exact location in the troubleshooter but will look at next boot

  mandb complains about this file, "#index.db#" (name like this)
   and 2-3 other files every time I boot.

I will reboot and capture the information that I can without filing bug reports for each entry

In any case, I never made an index.db for mandb (I did run catman if that helps)
Comment 5 Miroslav Grepl 2013-06-21 03:29:16 EDT
You can execute

# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# systemctl restart auditd.service

Then we get full path in AVC msgs.
Comment 6 Ray Holme 2013-06-21 09:15:04 EDT
[root@rainbow ray]# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
[root@rainbow ray]# systemctl restart auditd.service

Failed to issue method call: Operation refused, unit auditd.service may be requested by dependency only.

NOT so good - but I will reboot and try to trace it then VERY SOONx
Comment 7 Ray Holme 2013-06-21 14:48:41 EDT
OK after reboot, I get 4-5 troubleshooter reports - this time it was 4

All 4 from /usr/bin/mandb in the below order

     attempted              on file

     setattr                 29410
     remove_name             #index.db#
     write                   /opt/local/share/man
     write                   index.db

Only the third is fully qualified. I can see no trace of a file called 29410 with find.

I can stop watching these if it makes sense and just ignore them.

The only non-standard thing here is that /opt/local is now what /usr/local was; and the latter is now a link to /opt/local.
Comment 8 Miroslav Grepl 2013-07-12 02:58:50 EDT
Ok, is index.db located directly in /opt/local/share/man?

# ls -Z /opt/local/share/man/index.db
Comment 9 Ray Holme 2013-07-12 08:44:53 EDT
YES, but I am not sure it is that one. Here is the one you wanted and a full list. Also I maintain several other fedora18 servers and they ALL have complaints in /var/log/messages about this and the other files I see mandb complain about at boot.

ls -Z /opt/local/share/man/index.db; find / -name index.db 2> /dev/null
-rw-r--r--. root root system_u:object_r:man_t:s0 /opt/local/share/man/index.db
Comment 10 Ray Holme 2013-07-12 08:47:26 EDT
PS - thanks for "-Z" - I have always wondered how to see the new linux attributes for files - never sure why they were needed as I am an OLD Unix hacker, but I am sure there was good reason. 7777 was always as many attributes as I needed. :=]
Comment 11 Ray Holme 2013-07-13 15:55:51 EDT
I just realized that the machine (my own) which I ran the "ls -Z" command on had been patched using the remedy suggested by the trouble shooter.

I ran the below on a machine which WAS NOT patched by troubleshooter suggestions.

find / -name index.db -exec ls -Z {} \; > /tmp/index_files 2> /dev/null


-rw-r--r--. root root system_u:object_r:mandb_cache_t:s0 /var/cache/man/id/index
-rw-r--r--. root root system_u:object_r:mandb_cache_t:s0 /var/cache/man/ja/index
-rw-r--r--. root root system_u:object_r:mandb_cache_t:s0 /var/cache/man/ro/index
... many more like this in /var/cache/man/... ; then this one
-rw-r--r--. root root system_u:object_r:usr_t:s0       /opt/local/share/man/inde
Comment 12 Daniel Walsh 2013-07-15 17:30:31 EDT
Fedora 19/20 has this labeled.

 matchpathcon /opt/local/share/man/index.db
/opt/local/share/man/index.db	system_u:object_r:man_t:s0
Comment 13 Miroslav Grepl 2013-07-16 08:46:47 EDT
But should be mandb_cache_t to make this working.

# restorecon -Rv /opt/local/share/man
# chcon -t mandb_cache_t /opt/local/share/man/inde
Comment 14 Ray Holme 2013-07-16 10:03:13 EDT
OK, I will run the commands locally
  and all other machines that I have the priv. to do this on.

But, this file and some others (all from mandb agent) should best be fixed in some future release.

My goal was to make you all aware, you can close the bug or leave it open if you like.
Comment 15 Miroslav Grepl 2013-07-22 06:29:42 EDT
It has been switched to Modify. It means we have a fix. Thank you for your help.
Comment 16 Ray Holme 2013-07-22 07:51:35 EDT
most welcome
Comment 17 Fedora Update System 2013-08-05 01:40:36 EDT
selinux-policy-3.11.1-99.fc18 has been submitted as an update for Fedora 18.
Comment 18 Ray Holme 2013-08-05 08:22:09 EDT
Thanks and nice.
Comment 19 Fedora Update System 2013-08-05 20:14:09 EDT
Package selinux-policy-3.11.1-99.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-99.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 20 Fedora Update System 2013-08-07 07:12:03 EDT
selinux-policy-3.11.1-100.fc18 has been submitted as an update for Fedora 18.
Comment 21 Ray Holme 2013-08-09 10:35:32 EDT
I tried the yum command and got - will try again in a few more days

No Match for argument: selinux-policy-3.11.1-99.fc18
No package selinux-policy-3.11.1-99.fc18 available.
No Packages marked for Update
Comment 22 Fedora Update System 2013-08-14 22:53:41 EDT
selinux-policy-3.11.1-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Ray Holme 2013-08-15 12:04:06 EDT
No package selinux-policy-3.11.1-99.fc18 available.

and then
No package selinux-policy-3.11.1-100.fc18 available.

will wait till it makes it to the world.

Comment 24 Miroslav Grepl 2013-08-19 11:37:26 EDT
There will be a problem with your mirrors. You can use builds from koji


Note You need to log in before you can comment on or make changes to this bug.