Bug 560321
Summary: | SELinux is preventing /usr/bin/python "execute" access on /tmp/ffiSwFIhF (deleted). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Bouras <jlbouras> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | dwalsh, graham.rick, hitsugaya10th, jlbouras, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:b3ac7e3191bbe3bff19f3ecb168e955f8d53fd33d461b5b98dbca549a4f41d6d | ||
Fixed In Version: | 3.6.32-84.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-02-11 14:43:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Bouras
2010-01-30 23:58:03 UTC
Miroslav, Add can_exec(NetworkManager_t, NetworkManager_tmp_t) Fixed in selinux-policy-3.6.32-80.fc12 *** Bug 561524 has been marked as a duplicate of this bug. *** selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12 selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492 selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. I am getting this report on fc14, new install. The python exec is named 'euclid' running as a cgi. The /tmp file is not one I explicitly create. Kind of a strange bug, SELinux is denying access to a file that isn't there. (and there it was, GONE!) I have enabled reporting as directed in comment 5. Cheers! $ uname -a Linux euclid 2.6.35.14-95.fc14.x86_64 #1 SMP Tue Aug 16 21:01:58 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux *********** SETroubleshoot Details Window ***************** SELinux is preventing /usr/bin/python from execute access on the file /tmp/ffiXJig7F (deleted). ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed execute access on the ffiXJig7F (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep euclid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:httpd_sys_script_t:s0 Target Context unconfined_u:object_r:httpd_sys_rw_content_t:s0 Target Objects /tmp/ffiXJig7F (deleted) [ file ] Source euclid Source Path /usr/bin/python Port <Unknown> Host euclid Source RPM Packages python-2.7-8.fc14.1 Target RPM Packages Policy RPM selinux-policy-3.9.7-44.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name euclid Platform Linux euclid 2.6.35.14-95.fc14.x86_64 #1 SMP Tue Aug 16 21:01:58 UTC 2011 x86_64 x86_64 Alert Count 3 First Seen Wed 31 Aug 2011 09:56:57 AM EDT Last Seen Wed 31 Aug 2011 10:06:42 AM EDT Local ID 9ff30ed4-5c6d-409f-819e-1e202cb53eac Raw Audit Messages type=AVC msg=audit(1314799602.254:550): avc: denied { execute } for pid=8796 comm="euclid" path=2F746D702F666669584A69673746202864656C6574656429 dev=sda3 ino=5488706 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file type=SYSCALL msg=audit(1314799602.254:550): arch=x86_64 syscall=mmap success=yes exit=140199883816960 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=8769 pid=8796 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=29 comm=euclid exe=/usr/bin/python subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) Hash: euclid,httpd_sys_script_t,httpd_sys_rw_content_t,file,execute audit2allow #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_rw_content_t:file execute; audit2allow -R #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_rw_content_t:file execute; This bug has nothing to do with the bug you attached it to. Except for the actual name of the tmp file, which looks random, the error message is identical. It looks the same to me, your comment would be helpful if you elaborated, or stated why it's not the same bug. SELinux is running in permissive mode, this not causing me grief. I am posting the bug as requested by the report tool. The Original bug is related to NetworkManager the new bug is related to httpd. I have no idea how you got a /tmp file to be labeled httpd_sys_rw_content_t? Did you do some relabeling of /tmp? |