119543 – rpmq generates a lot of AVC messages.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 119543 - rpmq generates a lot of AVC messages.

Summary: rpmq generates a lot of AVC messages.

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jeff Johnson
QA Contact:	Mike McLean
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	122683
TreeView+	depends on / blocked

Reported:	2004-03-31 10:30 UTC by Aleksey Nogin
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-11-24 01:50:23 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aleksey Nogin 2004-03-31 10:30:49 UTC

If I run rpm -qf /misc from staff_r SELinux role, I get over 40 AVC
messages in the log:

...
audit(1080728771.854:0): avc:  denied  { getattr } for  pid=29778
exe=/usr/lib/rpm/rpmq path=/lib/modules dev=hda2 ino=3826369
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:modules_object_t tclass=dir
audit(1080728771.854:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:modules_object_t tclass=dir
audit(1080728771.855:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:modules_object_t tclass=dir
audit(1080728771.855:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:modules_object_t tclass=dir
audit(1080728771.855:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:modules_object_t tclass=dir
audit(1080728771.855:0): avc:  denied  { getattr } for  pid=29778
exe=/usr/lib/rpm/rpmq path=/lib/modules dev=hda2 ino=3826369
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:modules_object_t tclass=dir
audit(1080728771.927:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1080728771.928:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1080728771.928:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1080728771.928:0): avc:  denied  { getattr } for  pid=29778
exe=/usr/lib/rpm/rpmq path=/etc/security/selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1080728771.929:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1080728771.929:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1080728771.929:0): avc:  denied  { search } for  pid=29778
exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1080728771.929:0): avc:  denied  { getattr } for  pid=29778
exe=/usr/lib/rpm/rpmq path=/etc/security/selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir

Does rpmq really need to look at all these? Should some of it be
allowed (e.g. by giving rpmq its own type)?

I have rpm-4.3-0.22 policy-sources-1.9.1-2

Comment 1 Daniel Walsh 2004-03-31 13:28:46 UTC

There is a bug in the policy, that allows you to partially transition
to the rpm role.  The latest policy 1.9.1-4 turns off unlimitedUsers,
which would eliminate this bug.  It also puts the proper role
transition code in place to allow the staff_r to fully transition to
rpm_t role if you tun with unlimitedUsers.

Comment 2 Aleksey Nogin 2004-03-31 22:05:05 UTC

I am currently running w/o unlimitedUsers. And the other question
still stands - does rpmq need to look at all this stuff? I am just
asking it to tell me what package the /misc directory belongs to; why
does it need to look at the selinux and kernel module directories to
answer this question?

Comment 3 Daniel Walsh 2004-03-31 22:23:46 UTC

I am seeing none of these messages

rpm -q -f /misc

Gives me no errors.

Comment 4 Jeff Johnson 2004-11-24 01:50:23 UTC

This problem appears to be resolved.

Note You need to log in before you can comment on or make changes to this bug.