Bug 839175

Summary: Whenver I run it I get SELinux errors
Product: [Fedora] Fedora Reporter: Didact <didact1969>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dwalsh, nphilipp
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-01 18:22:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Didact 2012-07-11 07:05:00 UTC 
Get SE Linux errors, 3 every time I run it.  This happens before I can authenticate as root.  (I sometimes get other errors as well).  

SELinux is preventing /usr/bin/python2.7 from execute access on the file /usr/lib/systemd/systemd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python2.7 should be allowed execute access on the systemd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep system-config-s /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sambagui_t:s0-s0:c0.c1023
Target Context                system_u:object_r:init_exec_t:s0
Target Objects                /usr/lib/systemd/systemd [ file ]
Source                        system-config-s
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          apollo
Source RPM Packages           python-2.7.3-6.fc17.x86_64
Target RPM Packages           systemd-44-17.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     apollo
Platform                      Linux apollo 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5
                              20:20:59 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 11 Jul 2012 12:03:38 AM PDT
Last Seen                     Wed 11 Jul 2012 12:03:38 AM PDT
Local ID                      052ec02c-b32c-4ae2-91cf-71c37d4864dc

Raw Audit Messages
type=AVC msg=audit(1341990218.160:4937): avc:  denied  { execute } for  pid=7131 comm="system-config-s" name="systemd" dev="dm-1" ino=2097772 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1341990218.160:4937): arch=x86_64 syscall=access success=no exit=EACCES a0=fc69d0 a1=1 a2=3ea73b39c8 a3=20 items=0 ppid=1 pid=7131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=system-config-s exe=/usr/bin/python2.7 subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)

Hash: system-config-s,sambagui_t,init_exec_t,file,execute

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Nils Philippsen 2012-07-11 10:08:55 UTC 
The system-config-samba backend mechanism (/usr/share/system-config-samba/system-config-samba-mechanism.py) checks whether both /bin/systemctl and /bin/systemd are executable -- access(..., X_OK) -- to determine if it should use systemd or SysV methods to handle system services. I figure this causes the AVC denial -- it definitely doesn't execute the program. It must be allowed to check for this in order to work right, changing component accordingly.
Comment 2 Nils Philippsen 2012-07-11 10:10:36 UTC 
NB: the AVC denial only happens if the mechanism is started via dbus service activation. If I start it manually as root, I don't get it.
Comment 3 Miroslav Grepl 2012-07-11 12:08:46 UTC 
Yeap, as you say, this is access check

syscall=access
Comment 4 Miroslav Grepl 2012-07-11 12:17:42 UTC 
Fixed in selinux-policy-3.10.0-138.fc17.noarch
Comment 5 Fedora Update System 2012-07-27 15:34:51 UTC 
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Comment 6 Fedora Update System 2012-07-28 01:24:36 UTC 
Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-08-01 18:22:08 UTC 
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.