Bug 998057 - SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory /home/p6e7g/Scripts.
SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory ...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: man-db (Show other bugs)
19
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Chaloupka
Fedora Extras Quality Assurance
abrt_hash:48d0de0855108b76eb7fa5d69a7...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-16 17:56 EDT by Paul Gresham
Modified: 2014-07-08 04:23 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-08 04:23:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Gresham 2013-08-16 17:56:37 EDT
Description of problem:
SELinux is preventing /usr/bin/mandb from 'search' accesses on the directory /home/p6e7g/Scripts.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mandb should be allowed search access on the Scripts directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mandb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mandb_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/p6e7g/Scripts [ dir ]
Source                        mandb
Source Path                   /usr/bin/mandb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           man-db-2.6.3-2.fc18.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-100.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.6-100.fc18.i686 #1 SMP Mon
                              Aug 12 17:03:42 UTC 2013 i686 i686
Alert Count                   2
First Seen                    2013-08-15 14:33:05 EDT
Last Seen                     2013-08-16 15:44:39 EDT
Local ID                      42bb0b17-ec37-4ac6-a623-6007d29ae437

Raw Audit Messages
type=AVC msg=audit(1376682279.834:442): avc:  denied  { search } for  pid=2682 comm="mandb" name="Scripts" dev="dm-2" ino=1333240 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1376682279.834:442): arch=i386 syscall=stat64 success=no exit=ENOENT a0=896f6f8 a1=bfbcaec0 a2=4e4c6000 a3=bfbcaf5c items=0 ppid=2677 pid=2682 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=5 tty=(none) comm=mandb exe=/usr/bin/mandb subj=system_u:system_r:mandb_t:s0-s0:c0.c1023 key=(null)

Hash: mandb,mandb_t,user_home_t,dir,search

audit2allow

#============= mandb_t ==============
#!!!! This avc is allowed in the current policy

allow mandb_t user_home_t:dir search;

audit2allow -R
require {
	type mandb_t;
}

#============= mandb_t ==============
userdom_mmap_user_home_content_files(mandb_t)


Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.10.6-100.fc18.i686
type:           libreport
Comment 1 Daniel Walsh 2013-08-17 06:51:17 EDT
Why is mandb looking for content in your homedirs?
Comment 2 Paul Gresham 2013-08-19 21:45:04 EDT
I have no idea why mandb is looking for content in my home directory.  I created a script to start the freshclam daemon.  I created a directory called "Scripts" in my home directory.  Occasionally this condition occurs.
Comment 3 Fedora End Of Life 2013-12-21 09:29:23 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 4 Peter Schiffer 2014-02-19 08:50:00 EST
Paul,

do you have /home/p6e7g/Scripts directory in your PATH? If yes, that's probably the reason why mandb is searching there. Mandb is quite intelligent and it tries to construct manpath relatively to all directories in PATH..

Again, I'm not sure how to handle this on the selinux side...

peter
Comment 5 Paul Gresham 2014-02-19 14:41:12 EST
Peter,

You are correct.  I do have a /home/p6e7g/Scripts directory. OK.  I will not used the Scripts name as a directory.

Thanks for your explanation.  I think we can consider this closed.

Paul G.

(In reply to Peter Schiffer from comment #4)
> Paul,
> 
> do you have /home/p6e7g/Scripts directory in your PATH? If yes, that's
> probably the reason why mandb is searching there. Mandb is quite intelligent
> and it tries to construct manpath relatively to all directories in PATH..
> 
> Again, I'm not sure how to handle this on the selinux side...
> 
> peter
Comment 6 Peter Schiffer 2014-04-23 12:41:47 EDT
Thanks Paul for confirmation.

I think this could be solved by some configurable option to turn off automatic manpath resolution by man-db. For example, only MANDATORY_MANPATH would be searched, or something similar..
Comment 7 Fedora Admin XMLRPC Client 2014-05-12 07:46:16 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Jan Chaloupka 2014-07-08 04:23:04 EDT
Hello,

> Peter
Searching only on MANDATORY_MANPATH paths will reduce intelligent behaviour (as you posted).

> Paul
man-db tries to investigate all possible directories for ../man, man, ../share/man, or share/man subdirectories. If it does not find any of these or does not have an access, the directory is skipped. So if your directory has a content that should not be inspected by man-db (prevented by selinux), this is a desired behaviour.

Note You need to log in before you can comment on or make changes to this bug.