Bug 814388
| Summary: | SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | cblaauw <carstenblaauw> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:9150409d2bed387e6de07c695bc8a6dc427945f47fb3e736a92ef971eff35824 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-04-20 13:56:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
dac_override means you have a file that is not able to be used by the root user based on DAC controls. In order to find the path that firewalld is not able to access we need to turn on full auditing # auditctl -w /etc/shadow Should turn it on. Now can you get the error to happen again and run ausearch -m avc -ts recent [root@m7 ~]# auditctl -w /etc/shadow
[root@m7 ~]# systemctl restart firewalld.service
[root@m7 ~]# ausearch -m avc -ts recent
----
time->Thu Apr 19 22:32:58 2012
type=PATH msg=audit(1334867578.074:712): item=0 name="/root/.local/lib/python2.7/site-packages"
type=CWD msg=audit(1334867578.074:712): cwd="/"
type=SYSCALL msg=audit(1334867578.074:712): arch=c000003e syscall=4 success=no exit=-13 a0=1811ae0 a1=7fff8b0e6ad0 a2=7fff8b0e6ad0 a3=326e6f687479702f items=1 ppid=1 pid=6907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="firewalld" exe="/usr/bin/python2.7" subj=system_u:system_r:firewalld_t:s0 key=(null)
type=AVC msg=audit(1334867578.074:712): avc: denied { dac_read_search } for pid=6907 comm="firewalld" capability=2 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
type=AVC msg=audit(1334867578.074:712): avc: denied { dac_override } for pid=6907 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
[
cblaauw This indicates you have a directrory in /root that python commands are trying to use that is not owned by root. Most likely you want to remove this directory, rm -rf /root.local/lib/python.2.7 Or if there is actually something you want to keep in there. chown -R root:root /root/.local |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.2-1.fc17.x86_64 time: Do 19 Apr 2012 20:33:10 CEST description: :SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities. : :***** Plugin dac_override (91.4 confidence) suggests *********************** : :If sie überprüfen wollen, ob Domäne diesen Zugriff benötigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben :Then aktivieren Sie die vollständige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut. :Do : :Volle Audit-Funktion aktivieren :# auditctl -w /etc/shadow -p w :Versuchen Sie AVC zu reproduzieren. Führen Sie dann folgendes aus :# ausearch -m avc -ts recent :Falls PATH record ersichtlich ist, überprüfen Sie Eigentümer/ Berechtigungen der Datei und korrigieren Sie dies, :anderenfalls melden Sie dies an Bugzilla. : :***** Plugin catchall (9.59 confidence) suggests *************************** : :If sie denken, dass python2.7 standardmäßig dac_override Berechtigung haben sollten. :Then sie sollten dies als Fehler melden. :Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. :Do :zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: :# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:firewalld_t:s0 :Target Context system_u:system_r:firewalld_t:s0 :Target Objects [ capability ] :Source firewalld :Source Path /usr/bin/python2.7 :Port <Unbekannt> :Host (removed) :Source RPM Packages python-2.7.3-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-116.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.3.2-1.fc17.x86_64 #1 SMP Fri Apr 13 : 20:23:49 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Do 19 Apr 2012 20:32:18 CEST :Last Seen Do 19 Apr 2012 20:32:18 CEST :Local ID 2b7e74e0-04d1-4d5c-86b6-d2946e298b55 : :Raw Audit Messages :type=AVC msg=audit(1334860338.796:159): avc: denied { dac_override } for pid=6555 comm="firewalld" capability=1 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability : : :type=SYSCALL msg=audit(1334860338.796:159): arch=x86_64 syscall=stat success=no exit=ENOENT a0=b18ae0 a1=7ffff70c9e60 a2=7ffff70c9e60 a3=326e6f687479702f items=0 ppid=1 pid=6555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=firewalld exe=/usr/bin/python2.7 subj=system_u:system_r:firewalld_t:s0 key=(null) : :Hash: firewalld,firewalld_t,firewalld_t,capability,dac_override : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :