Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archivematics-storage-service package install: SELinux errors on CentOS 7 #34

Open
sprater opened this issue Aug 25, 2016 · 5 comments
Open

archivematics-storage-service package install: SELinux errors on CentOS 7 #34

sprater opened this issue Aug 25, 2016 · 5 comments

Comments

@sprater
Copy link

sprater commented Aug 25, 2016

Two AVC denial errors are thrown on CentOS 7 with SELinux enabled when attempting to install the rpm archivematica-storage-service.x86_64 0:0.8.0-0.beta.1, with the consequence that the user 'archivematica' is not created:

SELinux is preventing /usr/sbin/useradd from setattr access on the directory archivematica.
SELinux is preventing /usr/sbin/useradd from create access on the file .bash_logout.

Error 1:
***** Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow useradd to have setattr access on the archivematica directory
Then you need to change the label on archivematica
Do

semanage fcontext -a -t FILE_TYPE 'archivematica'

where FILE_TYPE is one of the following: alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, cache_home_t, chrome_sandbox_home_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, fetchmail_home_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, krb5kdc_var_lib_t, local_login_home_t, mail_home_rw_t, mail_home_t, mail_spool_t, mandb_home_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_rw_file_t, openshift_tmp_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, procmail_home_t, pulseaudio_home_t, rlogind_home_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, selinux_config_t, selinux_login_config_t, semanage_store_t, semanage_tmp_t, smsd_var_lib_t, spamc_home_t, speech-dispatcher_home_t, ssh_home_t, stapserver_var_lib_t, svirt_home_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, thumb_home_t, tvtime_home_t, uml_ro_t, uml_rw_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_var_run_t, virt_content_t, virt_home_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t.
Then execute:
restorecon -v 'archivematica'

***** Plugin catchall (17.1 confidence) suggests **************************

If you believe that useradd should be allowed setattr access on the archivematica directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep useradd /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_lib_t:s0
Target Objects archivematica [ dir ]
Source useradd
Source Path /usr/sbin/useradd
Port
Host xxxx
Source RPM Packages shadow-utils-4.1.5.1-18.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xxxx
Platform Linux xxxx 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu
Aug 18 19:05:49 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-08-25 08:33:26 CDT
Last Seen 2016-08-25 08:33:26 CDT
Local ID 0eb7d8aa-6b19-4401-926a-1d28646c18f9

Raw Audit Messages
type=AVC msg=audit(1472132006.845:1735): avc: denied { setattr } for pid=7142 comm="useradd" name="archivematica" dev="dm-0" ino=73548767 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1472132006.845:1735): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7fff45a0d773 a1=1c0 a2=0 a3=3f items=0 ppid=7140 pid=7142 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=181 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)

Hash: useradd,useradd_t,var_lib_t,dir,setattr

Error 2:
***** Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow useradd to have create access on the .bash_logout file
Then you need to change the label on .bash_logout
Do

semanage fcontext -a -t FILE_TYPE '.bash_logout'

where FILE_TYPE is one of the following: alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, cache_home_t, chrome_sandbox_home_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, default_context_t, etc_runtime_t, etc_t, fetchmail_home_t, file_context_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, krb5kdc_var_lib_t, local_login_home_t, mail_home_rw_t, mail_home_t, mail_spool_t, mandb_home_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_rw_file_t, openshift_tmp_t, openshift_var_lib_t, passwd_file_t, polipo_cache_home_t, polipo_config_home_t, procmail_home_t, pulseaudio_home_t, rlogind_home_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, selinux_config_t, selinux_login_config_t, semanage_store_t, semanage_tmp_t, shadow_t, smsd_var_lib_t, spamc_home_t, speech-dispatcher_home_t, ssh_home_t, stapserver_var_lib_t, svirt_home_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, thumb_home_t, tvtime_home_t, uml_ro_t, uml_rw_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_t, user_tmp_t, useradd_var_run_t, virt_content_t, virt_home_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t.
Then execute:
restorecon -v '.bash_logout'

***** Plugin catchall (17.1 confidence) suggests **************************

If you believe that useradd should be allowed create access on the .bash_logout file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

grep useradd /var/log/audit/audit.log | audit2allow -M mypol

semodule -i mypol.pp

Additional Information:
Source Context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_lib_t:s0
Target Objects .bash_logout [ file ]
Source useradd
Source Path /usr/sbin/useradd
Port
Host xxxx
Source RPM Packages shadow-utils-4.1.5.1-18.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xxxx
Platform Linux xxxx 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu
Aug 18 19:05:49 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-08-25 08:33:26 CDT
Last Seen 2016-08-25 08:33:26 CDT
Local ID ba067c58-b010-4624-b385-78566310cf4c

Raw Audit Messages
type=AVC msg=audit(1472132006.846:1737): avc: denied { create } for pid=7142 comm="useradd" name=".bash_logout" scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

type=SYSCALL msg=audit(1472132006.846:1737): arch=x86_64 syscall=open success=no exit=EACCES a0=7fbb8aef64b0 a1=241 a2=1a4 a3=6165726373662f72 items=0 ppid=7140 pid=7142 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=181 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)

Hash: useradd,useradd_t,var_lib_t,file,create
@sevein sevein added the AM17 label Nov 9, 2017
@sevein
Copy link
Member

sevein commented Nov 9, 2017

@scollazo is there anything we can do about this?

@scollazo
Copy link
Contributor

Yes, we have some selinux tweaks in the archivematica-storage-service.spec , we should add some more here, and in the dashboard spec file.

@sevein
Copy link
Member

sevein commented Nov 28, 2017

Cool, thanks.

@scollazo
Copy link
Contributor

I wasn't able to reproduce this in a CentOS 7 environment with seilnux set to "Enforce", and using the following selinux-policy packages:

selinux-policy-3.13.1-166.el7_4.9.noarch
selinux-policy-targeted-3.13.1-166.el7_4.9.noarch

@sevein
Copy link
Member

sevein commented Mar 19, 2018

We haven't been able to reproduce. Removing from the 1.7 milestone but we'll keep it open.

@sevein sevein removed the AM17 label Mar 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sprater @sevein @scollazo