Bug 750465

Summary: SELinux is preventing /usr/bin/python from create access on the lnk_file S13rpcbind.
Product: Red Hat Enterprise Linux 6 Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-01 11:21:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Matěj Cepl 2011-11-01 08:55:50 UTC 
There are many AVC denials dealing with sosreport run inside of abrt. This is one example. Complete /var/log/audit/audit.log is attached as well.

SELinux is preventing /usr/bin/python from create access on the lnk_file S13rpcbind.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed create access on the S13rpcbind lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sosreport /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Kontext zdroje                system_u:system_r:sosreport_t:s0-s0:c0.c1023
Kontext cíle                  system_u:object_r:abrt_var_cache_t:s0
Objekty cíle                  S13rpcbind [ lnk_file ]
Zdroj                         sosreport
Cesta zdroje                  /usr/bin/python
Port                          <Neznámé>
Počítač                       mitmanek.ceplovi.cz
RPM balíčky zdroje            
RPM balíčky cíle              
RPM politiky                  selinux-policy-3.7.19-120.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim              Enforcing
Název počítače                mitmanek.ceplovi.cz
Platforma                     Linux mitmanek.ceplovi.cz 2.6.32-214.el6.x86_64 #1
                              SMP Tue Oct 25 19:48:00 EDT 2011 x86_64 x86_64
Počet upozornění              906
Poprvé viděno                 Po 31. říjen 2011, 19:25:48 CET
Naposledy viděno              Po 31. říjen 2011, 21:02:58 CET
Místní ID                     f2200e26-ddb5-4089-9a21-8df74ca988e2

Původní zprávy auditu
type=AVC msg=audit(1320091378.624:14553): avc:  denied  { create } for  pid=14798 comm="sosreport" name="S13rpcbind" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=lnk_file


Hash: sosreport,sosreport_t,abrt_var_cache_t,lnk_file,create

audit2allow

#============= sosreport_t ==============
allow sosreport_t abrt_var_cache_t:lnk_file create;

audit2allow -R

#============= sosreport_t ==============
allow sosreport_t abrt_var_cache_t:lnk_file create;
Comment 2 Milos Malik 2011-11-01 10:23:41 UTC 
There is no audit.log attached.
Comment 3 Miroslav Grepl 2011-11-01 11:21:03 UTC 

*** This bug has been marked as a duplicate of bug 748338 ***