Bug 2027044
| Summary: | SELinux is preventing blueman-mechani from 'read' accesses on the directory site-packages. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Naadir Jeewa <naadir> |
| Component: | selinux-policy | Assignee: | Milos Malik <mmalik> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, nat, nknazeko, omosnace, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | abrt_hash:c23012ee74831add72f209474163b6bbd7c3b1287b862b8914771e1617573f68;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-36.15-1.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-09-22 01:17:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I'm having this SELinux problem with my newly installed Fedora 36. I believe it has something to do with the BlueTooth. BlueTooth is enabled but I can't connect it to my BlueTooth Logitech mouse. Hi Naadir, Can you please enable full auditing and reproduce it again? Open /etc/audit/rules.d/audit.rules file in an editor. 1. Remove following line if it exists: -a task,never 2. Add following line at the end of the file: -w /etc/shadow -p w 3. Restart the audit daemon: # service auditd restart Thank you Nikola The gconf_home_t label in the tcontext= part of the SELinux denial indicates that there is a directory called "site-packages" located under ~/.local/ directory. # matchpathcon /root/.local /root/.local system_u:object_r:gconf_home_t:s0 # matchpathcon /home/user/.local /home/user/.local unconfined_u:object_r:gconf_home_t:s0 # Do you have a directory called site-packages in your home directory or in root's home directory? # find /home /root -type d -name site-packages Thank you. Reproducible on my Fedora 36 when the /root/.local/lib/python3.10/site-packages directory exists:
# python --version
Python 3.10.6
# find /root/.local/lib/
/root/.local/lib/
/root/.local/lib/python3.10
/root/.local/lib/python3.10/site-packages
# service blueman-mechanism start
Redirecting to /bin/systemctl start blueman-mechanism.service
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(09/06/2022 12:16:33.623:374) : proctitle=/usr/bin/python3 /usr/libexec/blueman-mechanism
type=PATH msg=audit(09/06/2022 12:16:33.623:374) : item=0 name=/root/.local/lib/python3.10/site-packages inode=834955 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:gconf_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/2022 12:16:33.623:374) : cwd=/
type=SYSCALL msg=audit(09/06/2022 12:16:33.623:374) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f8e0f4f4640 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1998 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=blueman-mechani exe=/usr/bin/python3.10 subj=system_u:system_r:blueman_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 12:16:33.623:374) : avc: denied { read } for pid=1998 comm=blueman-mechani name=site-packages dev="vda2" ino=834955 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(09/06/2022 12:16:33.623:375) : proctitle=/usr/bin/python3 /usr/libexec/blueman-mechanism
type=PATH msg=audit(09/06/2022 12:16:33.623:375) : item=0 name=/root/.local/lib/python3.10/site-packages inode=834955 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:gconf_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/2022 12:16:33.623:375) : cwd=/
type=SYSCALL msg=audit(09/06/2022 12:16:33.623:375) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f8e0f52dcc0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1998 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=blueman-mechani exe=/usr/bin/python3.10 subj=system_u:system_r:blueman_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 12:16:33.623:375) : avc: denied { read } for pid=1998 comm=blueman-mechani name=site-packages dev="vda2" ino=834955 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0
----
I believe that other Python programs would like to access that directory too.
# file /usr/libexec/blueman-mechanism
/usr/libexec/blueman-mechanism: Python script, ASCII text executable
#
The only SELinux denial that appeared in permissive mode is:
---
type=PROCTITLE msg=audit(09/06/2022 12:21:49.845:384) : proctitle=/usr/bin/python3 /usr/libexec/blueman-mechanism
type=PATH msg=audit(09/06/2022 12:21:49.845:384) : item=0 name=/root/.local/lib/python3.10/site-packages inode=834955 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:gconf_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/06/2022 12:21:49.845:384) : cwd=/
type=SYSCALL msg=audit(09/06/2022 12:21:49.845:384) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f826ff9c5a0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2032 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=blueman-mechani exe=/usr/bin/python3.10 subj=system_u:system_r:blueman_t:s0 key=(null)
type=AVC msg=audit(09/06/2022 12:21:49.845:384) : avc: denied { read } for pid=2032 comm=blueman-mechani name=site-packages dev="vda2" ino=834955 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=1
----
# sesearch -s blueman_t -t gconf_home_t -c dir -A --dontaudit
allow blueman_t gconf_home_t:dir { getattr open search };
dontaudit application_domain_type non_security_file_type:dir { getattr open search };
#
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. I'm closing this out. Blueman is pretty old, and i'm not using it for a while since Gnome's BT support is complete enough. Should probably consider removal longterm. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: SELinux is preventing blueman-mechani from 'read' accesses on the directory site-packages. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that blueman-mechani should be allowed read access on the site-packages directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'blueman-mechani' --raw | audit2allow -M my-bluemanmechani # semodule -X 300 -i my-bluemanmechani.pp Additional Information: Source Context system_u:system_r:blueman_t:s0 Target Context unconfined_u:object_r:gconf_home_t:s0 Target Objects site-packages [ dir ] Source blueman-mechani Source Path blueman-mechani Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-35.5-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.5-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.14.18-300.fc35.x86_64 #1 SMP Fri Nov 12 16:43:17 UTC 2021 x86_64 x86_64 Alert Count 20 First Seen 2021-11-25 00:51:48 UTC Last Seen 2021-11-27 09:37:26 UTC Local ID 7ea96bad-7a5a-4840-a558-401e9437597e Raw Audit Messages type=AVC msg=audit(1638005846.181:727): avc: denied { read } for pid=5189 comm="blueman-mechani" name="site-packages" dev="dm-0" ino=417663 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 Hash: blueman-mechani,blueman_t,gconf_home_t,dir,read Version-Release number of selected component: selinux-policy-targeted-35.5-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.14.18-300.fc35.x86_64 type: libreport Potential duplicate: bug 957539