Bug 1300813
| Summary: | [RHEL-7.3] avc: denied { open } for pid=12786 comm="rhsmcertd-worke" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | PaulB <pbunyan> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | aquini, bgoncalv, jburke, jstancek, lvrabec, mgrepl, mmalik, pbunyan, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | ppc64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-12 08:15:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
All, Here is a reproducer targeting same ppc64 hosts: https://beaker.engineering.redhat.com/jobs/1195735 Best, -pbunyan It seems that the /usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg file is mislabeled. Following command should correct it: # restorecon -Rv /usr/lib/python2.7/site-packages Why it got mislabeled? Was the file moved from /tmp or /vat/tmp into the /usr/lib/python2.7/site-packages directory? It seems that AVCs appear before following things happen: Finished processing dependencies for paramiko==1.16.0 restorecon -R -v /usr/lib/python*/ restorecon reset /usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg context system_u:object_r:user_tmp_t:s0->system_u:object_r:lib_t:s0 restorecon reset /usr/lib/python2.7/site-packages/pycrypto-2.6.1-py2.7-linux-ppc64.egg context system_u:object_r:user_tmp_t:s0->system_u:object_r:lib_t:s0 INFO: Adding these info into /etc/hosts because the restorecon command corrects labels on both files. All, Here is another instance seen during automated testing: https://beaker.engineering.redhat.com/jobs/1198503 https://beaker.engineering.redhat.com/recipes/2432890 https://beaker.engineering.redhat.com/recipes/2432890#task37441266 Best, -pbunyan |
Description of problem: The following avc error was seen while testing with RHEL-7.2 Server ppc64: avc: denied { open } for pid=12786 comm="rhsmcertd-worke" path="/usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg" Version-Release number of selected component (if applicable): distro: RHEL-7.2 Server ppc64 kernel: 3.10.0-342.el7 selinux-policy: 3.13.1-60.el7.noarch How reproducible: unknown Actual results: https://beaker.engineering.redhat.com/recipes/2426801 https://beaker.engineering.redhat.com/recipes/2426801#task37374186 http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2016/01/11957/1195735/2426801/37374186/183774185/test_log-env_setup-avc.log ---<-snip->--- time->Wed Jan 20 23:03:35 2016 type=SYSCALL msg=audit(1453349015.383:63): arch=80000015 syscall=5 success=no exit=-13 a0=3fffc861c2b0 a1=0 a2=1b6 a3=0 items=0 ppid=1365 pid=12785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(1453349015.383:63): avc: denied { open } for pid=12785 comm="rhsmcertd-worke" path="/usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg" dev="dm-0" ino=136148937 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file ---<-snip->--- Expected results: no avc errors Additional info: