Bug 989773 - mock is denied access to rpmdb when it runs repoquery
mock is denied access to rpmdb when it runs repoquery
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-29 17:46 EDT by Garrett Holmstrom
Modified: 2013-09-22 20:43 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-103.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-22 20:43:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Garrett Holmstrom 2013-07-29 17:46:12 EDT
Description of problem:
I'm trying to run mock on an enforcing system (as staff_u, if that matters), and after I set the mock_enable_homedirs boolean it gets to the "Outputting list of available packages" stage and then crashes when it tries to run repoquery.  The AVCs appear to be dontaudited, but here they are just in case they actually aren't supposed to happen:

time->Mon Jul 29 14:31:44 2013
type=SYSCALL msg=audit(1375133504.040:902): arch=c000003e syscall=4 success=no exit=-13 a0=189ff10 a1=7fff6acce180 a2=7fff6acce180 a3=d items=0 ppid=4219 pid=4220 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm="repoquery" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1375133504.040:902): avc:  denied  { getattr } for  pid=4220 comm="repoquery" path="/var/lib/rpm" dev="dm-1" ino=264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Jul 29 14:31:44 2013
type=SYSCALL msg=audit(1375133504.073:904): arch=c000003e syscall=4 success=no exit=-13 a0=1927590 a1=7fff6acce9d0 a2=7fff6acce9d0 a3=d items=0 ppid=4219 pid=4220 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm="repoquery" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1375133504.073:904): avc:  denied  { getattr } for  pid=4220 comm="repoquery" path="/var/lib/rpm" dev="dm-1" ino=264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Mon Jul 29 14:31:44 2013
type=SYSCALL msg=audit(1375133504.186:912): arch=c000003e syscall=6 success=no exit=-13 a0=1f0d490 a1=7fff54aee920 a2=7fff54aee920 a3=20 items=0 ppid=3835 pid=3838 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=pts1 comm="mock" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1375133504.186:912): avc:  denied  { getattr } for  pid=3838 comm="mock" path="/run/user" dev="tmpfs" ino=15264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Mon Jul 29 14:31:44 2013
type=SYSCALL msg=audit(1375133504.186:913): arch=c000003e syscall=6 success=no exit=-13 a0=1f0d490 a1=7fff54aee920 a2=7fff54aee920 a3=20 items=0 ppid=3835 pid=3838 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=pts1 comm="mock" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1375133504.186:913): avc:  denied  { search } for  pid=3838 comm="mock" name="user" dev="tmpfs" ino=15264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Mon Jul 29 14:31:44 2013
type=SYSCALL msg=audit(1375133504.186:914): arch=c000003e syscall=6 success=no exit=-13 a0=1f0d490 a1=7fff54aee920 a2=7fff54aee920 a3=20 items=0 ppid=3835 pid=3838 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=pts1 comm="mock" exe="/usr/bin/python2.7" subj=staff_u:staff_r:mock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1375133504.186:914): avc:  denied  { search } for  pid=3838 comm="mock" name="user" dev="tmpfs" ino=15264 scontext=staff_u:staff_r:mock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir

AFAICT that corresponds to rpm_read_db(mock_t) and userdom_search_user_tmp_dirs(mock_t), but I haven't tested that guess yet.


Version-Release number of selected component (if applicable):
mock-1.1.32-1.fc18.noarch
selinux-policy-3.11.1-98.fc18.noarch


Steps to Reproduce:
1. sudo semodule -DB
2. (Log in as staff_t with "mock" group membership)
3. mock -r epel-6-x86_64 $foo.src.rpm
4. sudo ausearch -ts recent -sv no -su mock_t
Comment 1 Miroslav Grepl 2013-08-08 08:48:57 EDT
I need to back port mock fixes from F19.
Comment 2 Miroslav Grepl 2013-08-08 08:49:48 EDT
commit 2aed9c0bd018d80155df7b94db66f5ea0cc55fff
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Aug 8 14:49:26 2013 +0200

    Back port mock fixes from F19
Comment 3 Fedora Update System 2013-09-02 11:28:05 EDT
selinux-policy-3.11.1-101.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-101.fc18
Comment 4 Fedora Update System 2013-09-02 19:26:47 EDT
Package selinux-policy-3.11.1-101.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-101.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15645/selinux-policy-3.11.1-101.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-09-10 07:16:55 EDT
selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-103.fc18
Comment 6 Fedora Update System 2013-09-22 20:43:56 EDT
selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.