Bug 666179

Summary: sealert suggests a command that fails
Product: [Fedora] Fedora Reporter: Michael Schwendt <bugs.michael>
Component: setroubleshootAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dgates, dwalsh, gavinflower, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-03 11:34:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Schwendt 2010-12-29 11:54:28 UTC 
Description of problem:
SELinux Alert Browser here complains about "execstack" access problems with various applications. For each of the alerts it says (here for "totem"):

 | SELinux is preventing /usr/bin/totem-video-thumbnailer from
 | using the execstack access on a process.
 |
 | Plugin: catchall 
 | you want to allow totem-video-thumbnailer to have execstack access
 | on the Unknown processIf you believe that totem-video-thumbnailer
 | should be allowed execstack access on processes labeled unconfined_t
 | by default.
 | You should report this as a bug.
 | You can generate a local policy module to allow this access.
 | Allow this access for now by executing:
 | # grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log | audit2allow -M mypol
 | # semodule -i mypol.pp

The command at the bottom gives:

# grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te
# cat mypol.te 

module mypol 1.0;



# grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log
type=SYSCALL msg=audit(1293622859.590:33915): arch=40000003 syscall=125 success=no exit=-13 a0=bfb9b000 a1=1000 a2=1000007 a3=b64fcf1c items=0 ppid=2280 pid=4759 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="flvdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1293623043.703:33916): arch=40000003 syscall=125 success=no exit=-13 a0=bfeda000 a1=1000 a2=1000007 a3=b63fcc1c items=0 ppid=2280 pid=4950 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qtdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1293623073.680:33917): arch=40000003 syscall=125 success=no exit=-13 a0=bf8ba000 a1=1000 a2=1000007 a3=b64fcc1c items=0 ppid=2280 pid=4978 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qtdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1293623103.728:33918): arch=40000003 syscall=125 success=no exit=-13 a0=bf826000 a1=1000 a2=1000007 a3=b64fcc1c items=0 ppid=2280 pid=4992 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qtdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

---------------------------

Version-Release number of selected component (if applicable):
$ rpm -qf $(which sealert)
setroubleshoot-server-3.0.15-1.fc14.i686


How reproducible:
Always
Comment 1 Nivag 2010-12-30 22:05:42 UTC 
Every suggestion from 'sealert' that I have attempted has failed, for example (note that the underlying problem with 'cachemgr.cgi' has been raised as a separate bug report):


# sealert -l 3c1a7e4a-f196-40da-9cf0-7a57f541f5da
SELinux is preventing /var/www/cgi-bin/cachemgr.cgi from search access on the directory /etc/squid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that cachemgr.cgi should be allowed search access on the squid directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /var/www/cgi-bin/cachemgr.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


# grep /var/www/cgi-bin/cachemgr.cgi /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te
#
Comment 2 david 2011-01-02 12:49:16 UTC 
I have just had the same problem. 
I tried to make a security policy to allow sendmail on port 26 in the past, but it has not worked. Today there was an update of many files by yum, and then I found the similar suggestion. 

You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


But following the command failed
[root@PC146 ~]# grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te
Comment 3 Michael Schwendt 2011-01-02 13:31:55 UTC 
[clearing NEEDINFO state set by mistake]
Comment 4 Miroslav Grepl 2011-01-03 11:34:54 UTC 

*** This bug has been marked as a duplicate of bug 665505 ***