| Summary: | SELinux is preventing /usr/bin/python from 'execute' accesses on the ファイル /home/xguest/orcexec.oy8Rnf (deleted). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | bugz <bean_curd098> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dominick.grift, ds, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:c9d4fb863440b0f6ec183b62b03863ae34da3036c87f98dcad2fb0e5fbaa348d | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-09 18:39:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I noticed that orcexec.* file as well:
avc: denied { create } for pid=12633 comm="gtk-gnash" name="orcexec.2xb3Nn" scontext=staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_dir_t:s0 tclass=file
But gtk-gnash knows nothing about creating orcexec.* file on ~. So must be some lib it is calling?
I suspect that this is a bug in liborc. These files should go to /tmp instead It *might* be trying to fall back to ~, after determining that, for some reason, it was not able to use /tmp for this. Although i could not find any audit trails of SELinux blocking any access with regard to this. "orcexec.* is JIT compiled code for various GStreamer elements" Oops, the fallback list is in the wrong order. It should be $TMPDIR, /tmp, $HOME. In any case, this is only a warning, not a failure. You get evil nasty warnings and segfaults if there's a failure. OK but you are going to fix it? commit fbc554f450e37380104e2730d8685caf37abe24c
Author: David Schleef <ds>
Date: Wed Jun 8 21:38:04 2011 -0700
codemem: Fix order to check /tmp before $HOME
|
SELinux is preventing /usr/bin/python from 'execute' accesses on the ファイル /home/xguest/orcexec.oy8Rnf (deleted). ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If a がしたいllow_xguest_exec_content Then これについては、SELinux に 'allow_xguest_exec_content' boolean を有効にする設定をしなければいけません。 Do setsebool -P allow_xguest_exec_content 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If python に、 orcexec.oy8Rnf (deleted) file の execute アクセスがデフォルトで許可されるべきです。 Then これをバグをして報告すべきです。 このアクセスを許可するために、ローカルポリシーモジュールを生成することができます。 Do このアクセスを一時的に許可するには、以下を実行してください。: # grep applet.py /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context xguest_u:xguest_r:xguest_t:s0 Target Context xguest_u:object_r:user_home_t:s0 Target Objects /home/xguest/orcexec.oy8Rnf (deleted) [ file ] Source applet.py Source Path /usr/bin/python Port <不明> Host (removed) Source RPM Packages nautilus-2.32.2.1-2.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.13-91.fc14.i686 #1 SMP Tue May 3 13:36:36 UTC 2011 i686 i686 Alert Count 33 First Seen 2011年03月26日 12時45分51秒 Last Seen 2011年06月06日 10時13分25秒 Local ID 8fea9ef7-e200-41ed-a571-e71698a2bc58 Raw Audit Messages type=AVC msg=audit(1307322805.600:55): avc: denied { execute } for pid=1968 comm="nautilus" path=2F686F6D652F7867756573742F6F7263657865632E6F7938526E66202864656C6574656429 dev=tmpfs ino=22185 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1307322805.600:55): arch=i386 syscall=mmap2 success=no exit=EACCES a0=0 a1=10000 a2=5 a3=1 items=0 ppid=1823 pid=1968 auid=501 uid=501 gid=502 euid=501 suid=501 fsuid=501 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm=nautilus exe=/usr/bin/nautilus subj=xguest_u:xguest_r:xguest_t:s0 key=(null) Hash: applet.py,xguest_t,user_home_t,file,execute audit2allow #============= xguest_t ============== #!!!! This avc can be allowed using the boolean 'allow_xguest_exec_content' allow xguest_t user_home_t:file execute; audit2allow -R #============= xguest_t ============== #!!!! This avc can be allowed using the boolean 'allow_xguest_exec_content' allow xguest_t user_home_t:file execute;