Bug 684901
Summary: | SELinux is preventing /usr/bin/python from 'setattr' accesses on the directory /proc. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 15 | CC: | dwalsh, ffesti, james.antill, maxamillion, mgrepl, pmatilai, tim.lauridsen |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:60acc86575974572f3c2f7a2f1fbf4a387013f702de61d955a11c094768f766f | ||
Fixed In Version: | selinux-policy-3.9.16-5.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-03-19 05:54:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Williamson
2011-03-14 18:29:13 UTC
I'm running mock, and hit this among several other alerts: python read compiz-0.9.4-1.fc16.src.rpm python read compiz Just using mock shouldn't (and didn't used to) cause a bunch of sealert spam. Added dontaudit for this. Not sure why yum would be doing this, but I would figure it will not cause it to fail. Fixed in selinux-policy-3.9.16-4.fc15 Indeed, the alerts don't cause the mock transaction to fail, they're just 'noise'. Will check the fix, thanks. selinux-policy-3.9.16-5.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-5.fc15 Well, this seems to solve the particular alert I listed here, but I'm still hitting some others: ------------------------- SELinux is preventing /usr/bin/python from read access on the file /home/adamw/build/compiz/compiz-0.9.4-1.fc16.src.rpm. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow mock to read files in home directories. Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean. Do setsebool -P mock_enable_homedirs 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that python should be allowed read access on the compiz-0.9.4-1.fc16.src.rpm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mock /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mock_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/adamw/build/compiz/compiz-0.9.4-1.fc16.src.r pm [ file ] Source mock Source Path /usr/bin/python Port <Unknown> Host adam Source RPM Packages python-2.7.1-6.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name adam Platform Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 11 First Seen Mon 14 Mar 2011 05:21:18 PM PDT Last Seen Thu 17 Mar 2011 12:54:28 PM PDT Local ID 133763ac-c4c8-44b6-9725-acc5151df089 Raw Audit Messages type=AVC msg=audit(1300391668.780:312): avc: denied { read } for pid=28209 comm="mock" name="compiz-0.9.4-1.fc16.src.rpm" dev=dm-1 ino=918424 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1300391668.780:312): avc: denied { open } for pid=28209 comm="mock" name="compiz-0.9.4-1.fc16.src.rpm" dev=dm-1 ino=918424 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1300391668.780:312): arch=x86_64 syscall=open success=yes exit=EIO a0=15e1850 a1=0 a2=1b6 a3=302d7a69706d6f63 items=0 ppid=28208 pid=28209 auid=501 uid=501 gid=486 euid=501 suid=0 fsuid=501 egid=486 sgid=486 fsgid=486 tty=pts0 ses=1 comm=mock exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0 key=(null) Hash: mock,mock_t,user_home_t,file,read audit2allow #============= mock_t ============== #!!!! This avc can be allowed using the boolean 'mock_enable_homedirs' allow mock_t user_home_t:file { read open }; audit2allow -R #============= mock_t ============== #!!!! This avc can be allowed using the boolean 'mock_enable_homedirs' allow mock_t user_home_t:file { read open }; ------------------------------ SELinux is preventing /usr/bin/python from read access on the directory /home/adamw/build/compiz. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow mock to read files in home directories. Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean. Do setsebool -P mock_enable_homedirs 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that python should be allowed read access on the compiz directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep yum /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:mock_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/adamw/build/compiz [ dir ] Source yum Source Path /usr/bin/python Port <Unknown> Host adam Source RPM Packages python-2.7.1-6.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name adam Platform Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 8 First Seen Mon 14 Mar 2011 05:22:49 PM PDT Last Seen Thu 17 Mar 2011 12:54:30 PM PDT Local ID 144f748b-0187-4e13-aa4a-77db307d3188 Raw Audit Messages type=AVC msg=audit(1300391670.565:313): avc: denied { read } for pid=28313 comm="yum" name="compiz" dev=dm-1 ino=918053 scontext=unconfined_u:system_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=SYSCALL msg=audit(1300391670.565:313): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=3abd4509a7 a1=0 a2=2f746f a3=fffffffffffffff0 items=0 ppid=28209 pid=28313 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:mock_t:s0 key=(null) Hash: yum,mock_t,user_home_t,dir,read audit2allow #============= mock_t ============== #!!!! This avc can be allowed using the boolean 'mock_enable_homedirs' allow mock_t user_home_t:dir read; audit2allow -R #============= mock_t ============== #!!!! This avc can be allowed using the boolean 'mock_enable_homedirs' allow mock_t user_home_t:dir read; ----------------------------- SELinux is preventing /usr/bin/python from read access on the directory /home/adamw/build/compiz. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow mock to read files in home directories. Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean. Do setsebool -P mock_enable_homedirs 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that python should be allowed read access on the compiz directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep yum-builddep /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mock_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/adamw/build/compiz [ dir ] Source yum-builddep Source Path /usr/bin/python Port <Unknown> Host adam Source RPM Packages python-2.7.1-6.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name adam Platform Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 4 First Seen Mon 14 Mar 2011 05:23:19 PM PDT Last Seen Thu 17 Mar 2011 12:54:53 PM PDT Local ID 63fbeec8-8cd7-42e9-a861-ed701778b8e4 Raw Audit Messages type=AVC msg=audit(1300391693.372:317): avc: denied { read } for pid=28332 comm="yum-builddep" name="compiz" dev=dm-1 ino=918053 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=SYSCALL msg=audit(1300391693.372:317): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=3abd4509a7 a1=0 a2=2f746f a3=fffffffffffffff0 items=0 ppid=28209 pid=28332 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum-builddep exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0 key=(null) Hash: yum-builddep,mock_t,user_home_t,dir,read audit2allow #============= mock_t ============== #!!!! This avc can be allowed using the boolean 'mock_enable_homedirs' allow mock_t user_home_t:dir read; audit2allow -R #============= mock_t ============== #!!!! This avc can be allowed using the boolean 'mock_enable_homedirs' allow mock_t user_home_t:dir read; Did you by any chance read the alert before reporting it? oh, I missed that, selinux reports tend to make my eyes glaze over for whatever reason. is this a change, though? it never used to happen. It still doesn't seem right that perfectly normal use of mock - check out a Fedora package, do 'fedpkg srpm', run mock on the srpm - should throw an selinux alert. Or rather, three. That doesn't feel right to me. I think the goal of the mock policy is more to protect the mock servers where jobs are being submitted then the user just running mock. We have just added mock policy in F14 I believe. Miroslav, lets default the boolean to on, and advise admins to turn this off on servers. mock_enable_homedirs selinux-policy-3.9.16-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |