Bug 1103042
| Summary: | SELinux is preventing /usr/bin/python "search" access on /root/.local. | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 20 | CC: | bkahn, bwhitehd, cjm, dominick.grift, dwalsh, jpazdziora, lvrabec, mgrepl, mzazrivec, pwouters | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | i386 | |||
| OS: | Linux | |||
| Whiteboard: | setroubleshoot_trace_hash:dec548f1c8efbe0d892ed250a8eed711f0ec705f48dd03e5abe2a7bba8eb1671 | |||
| Fixed In Version: | selinux-policy-3.12.1-171.fc20 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 573181 | |||
| : | 1103135 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-26 01:53:42 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 573181 | |||
| Bug Blocks: | 1103135 | |||
|
Description
Jan Pazdziora (Red Hat)
2014-05-30 06:32:28 UTC
The issue seems to be back in Fedora 20:
type=SYSCALL msg=audit(1401361477.476:202): arch=c000003e syscall=4 success=no exit=-13 a0=1e97310 a1=7fff35385580 a2=7fff35385580 a3=0 items=0 ppid=1 pid=18286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="osa-dispatcher" exe="/usr/bin/python2.7" subj=system_u:system_r:osa_dispatcher_t:s0 key=(null)
type=AVC msg=audit(1401361477.476:202): avc: denied { search } for pid=18286 comm="osa-dispatcher" name=".local" dev="dm-0" ino=262158 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1401361534.406:209): arch=c000003e syscall=4 success=no exit=-13 a0=168e310 a1=7fff13edf7e0 a2=7fff13edf7e0 a3=0 items=0 ppid=1 pid=18967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1401361534.406:209): avc: denied { search } for pid=18967 comm="cobblerd" name=".local" dev="dm-0" ino=262158 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
# find /root -inum 262158
/root/.local
This is more bug in these apps. Adding fixes to the policy for cobbler.te. diff --git a/cobbler.te b/cobbler.te index e01156f..1543aec 100644 --- a/cobbler.te +++ b/cobbler.te @@ -194,6 +194,10 @@ optional_policy(` ') optional_policy(` + gnome_dontaudit_search_config(cobblerd_t) +') We don't ship the osa_dispatcher policy. (In reply to Miroslav Grepl from comment #3) > This is more bug in these apps. Adding fixes to the policy for cobbler.te. So what are those applications doing wrong that this happens? (In reply to Jan Pazdziora from comment #4) > (In reply to Miroslav Grepl from comment #3) > > This is more bug in these apps. Adding fixes to the policy for cobbler.te. > > So what are those applications doing wrong that this happens? -E Ignore environment variables like PYTHONPATH and PYTHONHOME that modify the behavior of the interpreter. -s Don't add user site directory to sys.path Thanks. Two questions: 1) shouldn't we revert that gnome_dontaudit_search_config(cobblerd_t) and ask cobbler packager to do the -s? 2) Why don't I see that AVC denial in Permissive? Thanks. Two questions: 1) shouldn't we revert that gnome_dontaudit_search_config(cobblerd_t) and ask cobbler packager to do the -s? 2) Why don't I see that AVC denial in Permissive? For the record, related osa-dispatcher bugzilla 1103135. selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20 Package selinux-policy-3.12.1-167.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20 then log in and leave karma (feedback). (In reply to Jan Pazdziora from comment #6) > Thanks. Two questions: > > 1) shouldn't we revert that > > gnome_dontaudit_search_config(cobblerd_t) > > and ask cobbler packager to do the -s? In fact, my Spacewalk installation used cobbler20, packaged by the Spacewalk project, so possibly with stock cobbler package in Fedora, the problem isn't there at all. Could you please revert the policy change? commit 6b19382ed24fe08f74eaf73304ab381d1909e3fa
Author: Lukas Vrabec <lvrabec>
Date: Tue Jun 17 11:04:32 2014 +0200
Revert gnome_dontaudit_search_config in cobbler policy
Reverted.
selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20 Package selinux-policy-3.12.1-171.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |