| Summary: | SELinux is preventing /usr/bin/python from 'setattr' accesses on the directory /proc. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | dwalsh, ffesti, james.antill, maxamillion, mgrepl, pmatilai, tla |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:60acc86575974572f3c2f7a2f1fbf4a387013f702de61d955a11c094768f766f | ||
| Fixed In Version: | selinux-policy-3.9.16-5.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-19 05:54:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I'm running mock, and hit this among several other alerts: python read compiz-0.9.4-1.fc16.src.rpm python read compiz Just using mock shouldn't (and didn't used to) cause a bunch of sealert spam. Added dontaudit for this. Not sure why yum would be doing this, but I would figure it will not cause it to fail. Fixed in selinux-policy-3.9.16-4.fc15 Indeed, the alerts don't cause the mock transaction to fail, they're just 'noise'. Will check the fix, thanks. selinux-policy-3.9.16-5.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-5.fc15 Well, this seems to solve the particular alert I listed here, but I'm still hitting some others:
-------------------------
SELinux is preventing /usr/bin/python from read access on the file /home/adamw/build/compiz/compiz-0.9.4-1.fc16.src.rpm.
***** Plugin catchall_boolean (89.3 confidence) suggests *******************
If you want to allow mock to read files in home directories.
Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean.
Do
setsebool -P mock_enable_homedirs 1
***** Plugin catchall (11.6 confidence) suggests ***************************
If you believe that python should be allowed read access on the compiz-0.9.4-1.fc16.src.rpm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:mock_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /home/adamw/build/compiz/compiz-0.9.4-1.fc16.src.r
pm [ file ]
Source mock
Source Path /usr/bin/python
Port <Unknown>
Host adam
Source RPM Packages python-2.7.1-6.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-5.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name adam
Platform Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15
05:29:00 UTC 2011 x86_64 x86_64
Alert Count 11
First Seen Mon 14 Mar 2011 05:21:18 PM PDT
Last Seen Thu 17 Mar 2011 12:54:28 PM PDT
Local ID 133763ac-c4c8-44b6-9725-acc5151df089
Raw Audit Messages
type=AVC msg=audit(1300391668.780:312): avc: denied { read } for pid=28209 comm="mock" name="compiz-0.9.4-1.fc16.src.rpm" dev=dm-1 ino=918424 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1300391668.780:312): avc: denied { open } for pid=28209 comm="mock" name="compiz-0.9.4-1.fc16.src.rpm" dev=dm-1 ino=918424 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1300391668.780:312): arch=x86_64 syscall=open success=yes exit=EIO a0=15e1850 a1=0 a2=1b6 a3=302d7a69706d6f63 items=0 ppid=28208 pid=28209 auid=501 uid=501 gid=486 euid=501 suid=0 fsuid=501 egid=486 sgid=486 fsgid=486 tty=pts0 ses=1 comm=mock exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0 key=(null)
Hash: mock,mock_t,user_home_t,file,read
audit2allow
#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'
allow mock_t user_home_t:file { read open };
audit2allow -R
#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'
allow mock_t user_home_t:file { read open };
------------------------------
SELinux is preventing /usr/bin/python from read access on the directory /home/adamw/build/compiz.
***** Plugin catchall_boolean (89.3 confidence) suggests *******************
If you want to allow mock to read files in home directories.
Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean.
Do
setsebool -P mock_enable_homedirs 1
***** Plugin catchall (11.6 confidence) suggests ***************************
If you believe that python should be allowed read access on the compiz directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:system_r:mock_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /home/adamw/build/compiz [ dir ]
Source yum
Source Path /usr/bin/python
Port <Unknown>
Host adam
Source RPM Packages python-2.7.1-6.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-5.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name adam
Platform Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15
05:29:00 UTC 2011 x86_64 x86_64
Alert Count 8
First Seen Mon 14 Mar 2011 05:22:49 PM PDT
Last Seen Thu 17 Mar 2011 12:54:30 PM PDT
Local ID 144f748b-0187-4e13-aa4a-77db307d3188
Raw Audit Messages
type=AVC msg=audit(1300391670.565:313): avc: denied { read } for pid=28313 comm="yum" name="compiz" dev=dm-1 ino=918053 scontext=unconfined_u:system_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1300391670.565:313): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=3abd4509a7 a1=0 a2=2f746f a3=fffffffffffffff0 items=0 ppid=28209 pid=28313 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:mock_t:s0 key=(null)
Hash: yum,mock_t,user_home_t,dir,read
audit2allow
#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'
allow mock_t user_home_t:dir read;
audit2allow -R
#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'
allow mock_t user_home_t:dir read;
-----------------------------
SELinux is preventing /usr/bin/python from read access on the directory /home/adamw/build/compiz.
***** Plugin catchall_boolean (89.3 confidence) suggests *******************
If you want to allow mock to read files in home directories.
Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean.
Do
setsebool -P mock_enable_homedirs 1
***** Plugin catchall (11.6 confidence) suggests ***************************
If you believe that python should be allowed read access on the compiz directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum-builddep /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:mock_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /home/adamw/build/compiz [ dir ]
Source yum-builddep
Source Path /usr/bin/python
Port <Unknown>
Host adam
Source RPM Packages python-2.7.1-6.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-5.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name adam
Platform Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15
05:29:00 UTC 2011 x86_64 x86_64
Alert Count 4
First Seen Mon 14 Mar 2011 05:23:19 PM PDT
Last Seen Thu 17 Mar 2011 12:54:53 PM PDT
Local ID 63fbeec8-8cd7-42e9-a861-ed701778b8e4
Raw Audit Messages
type=AVC msg=audit(1300391693.372:317): avc: denied { read } for pid=28332 comm="yum-builddep" name="compiz" dev=dm-1 ino=918053 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1300391693.372:317): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=3abd4509a7 a1=0 a2=2f746f a3=fffffffffffffff0 items=0 ppid=28209 pid=28332 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum-builddep exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0 key=(null)
Hash: yum-builddep,mock_t,user_home_t,dir,read
audit2allow
#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'
allow mock_t user_home_t:dir read;
audit2allow -R
#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'
allow mock_t user_home_t:dir read;
Did you by any chance read the alert before reporting it? oh, I missed that, selinux reports tend to make my eyes glaze over for whatever reason. is this a change, though? it never used to happen. It still doesn't seem right that perfectly normal use of mock - check out a Fedora package, do 'fedpkg srpm', run mock on the srpm - should throw an selinux alert. Or rather, three. That doesn't feel right to me. I think the goal of the mock policy is more to protect the mock servers where jobs are being submitted then the user just running mock. We have just added mock policy in F14 I believe. Miroslav, lets default the boolean to on, and advise admins to turn this off on servers. mock_enable_homedirs selinux-policy-3.9.16-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
SELinux is preventing /usr/bin/python from 'setattr' accesses on the directory /proc. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed setattr access on the proc directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep yum /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:mock_t:s0 Target Context system_u:object_r:proc_t:s0 Target Objects /proc [ dir ] Source yum Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.7.1-6.fc15 Target RPM Packages filesystem-2.4.37-1.fc15 Policy RPM selinux-policy-3.9.16-1.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38-0.rc8.git0.1.fc15.x86_64 #1 SMP Tue Mar 8 08:22:15 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 14 Mar 2011 11:27:43 AM PDT Last Seen Mon 14 Mar 2011 11:27:43 AM PDT Local ID 223ecb9d-b184-499c-94a6-d0dd60a8d0f5 Raw Audit Messages type=AVC msg=audit(1300127263.205:92): avc: denied { setattr } for pid=2781 comm="yum" name="/" dev=proc ino=1 scontext=unconfined_u:system_r:mock_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir type=SYSCALL msg=audit(1300127263.205:92): arch=x86_64 syscall=chown success=yes exit=0 a0=582e240 a1=0 a2=0 a3=2 items=0 ppid=2755 pid=2781 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:mock_t:s0 key=(null) Hash: yum,mock_t,proc_t,dir,setattr audit2allow #============= mock_t ============== allow mock_t proc_t:dir setattr; audit2allow -R #============= mock_t ============== allow mock_t proc_t:dir setattr;