Bug 1744300

Summary: SELinux is preventing /usr/libexec/platform-python3.6 from 'open' accesses on the file /var/log/hawkey.log.
Product: Red Hat Enterprise Linux 8 Reporter: Joachim Frieben <jfrieben>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:b6471f9644c8dc7a88624819561ceedd435b98a08eec96d2fb278be1e4e538e2;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-26 15:19:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Frieben 2019-08-21 19:11:57 UTC 
Description of problem:
SELinux is preventing /usr/libexec/platform-python3.6 from 'open' accesses on the file /var/log/hawkey.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed open access on the hawkey.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp

Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0
Target Context                unconfined_u:object_r:var_log_t:s0
Target Objects                /var/log/hawkey.log [ file ]
Source                        rhsmcertd-worke
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           platform-python-3.6.8-11.el8.x86_64
Target RPM Packages           dnf-data-4.2.6-1.el8.noarch
Policy RPM                    selinux-policy-3.14.3-9.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.0-107.el8.x86_64 #1 SMP Fri
                              Jun 14 13:46:34 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-08-21 21:06:27 CEST
Last Seen                     2019-08-21 21:06:27 CEST
Local ID                      f6e01ef5-b341-4423-b7ef-ef28dac080c4

Raw Audit Messages
type=AVC msg=audit(1566414387.603:302): avc:  denied  { open } for  pid=9479 comm="rhsmcertd-worke" path="/var/log/hawkey.log" dev="dm-3" ino=131153 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1566414387.603:302): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=555df3574600 a2=441 a3=1b6 items=0 ppid=1859 pid=9479 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)

Hash: rhsmcertd-worke,rhsmcertd_t,var_log_t,file,open

Version-Release number of selected component:
selinux-policy-3.14.3-9.el8.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.0-107.el8.x86_64
type:           libreport
Comment 1 Milos Malik 2019-08-22 07:14:47 UTC 
I believe this bug is a duplicate of BZ#1720639.
Comment 2 Lukas Vrabec 2019-08-26 15:19:36 UTC 

*** This bug has been marked as a duplicate of bug 1720639 ***