Bug 2159393

Summary: SELinux is preventing /usr/bin/python3.9 from add_name access on the directory /var/log/hawkey.log.
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-16 10:04:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2023-01-09 12:47:22 UTC 
Description of problem:
SELinux is preventing /usr/bin/python3.9 from add_name access on the directory /var/log/hawkey.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python3.9 should be allowed add_name access on the hawkey.log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp

Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/hawkey.log [ dir ]
Source                        rhsmcertd-worke
Source Path                   /usr/bin/python3.9
Port                          <Unknown>
Host                          localhost
Source RPM Packages           python3-3.9.14-1.el9_1.1.x86_64
Target RPM Packages           dnf-data-4.12.0-4.el9.noarch
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost
Platform                      Linux localhost 5.14.0-162.6.1.el9_1.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Sep 30 07:36:03 EDT 2022
                              x86_64 x86_64
Alert Count                   1
First Seen                    2023-01-09 14:35:13 EET
Last Seen                     2023-01-09 14:35:13 EET
Local ID                      ba401bae-738e-43c2-a841-13644749d0de


Additional info:
Earlier related reports for RHEL 8:

https://bugzilla.redhat.com/show_bug.cgi?id=1720639
https://bugzilla.redhat.com/show_bug.cgi?id=1949871
Comment 1 Nikola Knazekova 2023-01-16 13:33:37 UTC 

*** This bug has been marked as a duplicate of bug 1720639 ***
Comment 2 Marko Myllynen 2023-01-16 14:14:36 UTC 
This BZ is not resolved on RHEL 9, we need a new errata for this, so this is not a dupe of a two-year old bug. Thanks.
Comment 6 Zdenek Pytela 2023-06-16 10:04:35 UTC 
The permission was added with selinux-policy rebase in RHEL 9.2:

       rpm_hawkey_named_filetrans(rhsmcertd_t)

Closing a duplicate.

*** This bug has been marked as a duplicate of bug 2082524 ***