Bug 863864

Summary: SELinux is preventing /usr/bin/python2.7 from using the 'sigkill' accesses on a process.
Product: [Fedora] Fedora Reporter: Adam Joseph Cook <acook>
Component: system-config-kdumpAssignee: Martin Milata <mmilata>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, igeorgex, mgrepl, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:c6d2fa5305f81ee9bf66803d4491827ace764fd9d29edf0bf2a4291465dcd4f5
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-05 07:29:15 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
File: type
File: hashmarkername
Output of ausearch -m avc -ts recent directly after s-c-kdump SELinux denials none

Description Adam Joseph Cook 2012-10-07 17:50:39 EDT
Description of problem:
1. Attempted to run 'system-config-kdump'.
2. SELinux raised this issue.

Additional info:
libreport version: 2.0.15
kernel:         3.6.0-3.fc18.x86_64

:SELinux is preventing /usr/bin/python2.7 from using the 'sigkill' accesses on a process.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that python2.7 should be allowed sigkill access on processes labeled kdumpgui_t by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep system-config-k /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:kdumpgui_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:kdumpgui_t:s0-s0:c0.c1023
:Target Objects                 [ process ]
:Source                        system-config-k
:Source Path                   /usr/bin/python2.7
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           python-2.7.3-13.fc18.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.0-3.fc18.x86_64 #1 SMP Wed Oct
:                              3 13:29:15 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-07 16:45:20 CDT
:Last Seen                     2012-10-07 16:45:20 CDT
:Local ID                      6450c408-6f4a-4335-87c4-bf593db9705b
:Raw Audit Messages
:type=AVC msg=audit(1349646320.710:198): avc:  denied  { sigkill } for  pid=2675 comm="system-config-k" scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tclass=process
:type=SYSCALL msg=audit(1349646320.710:198): arch=x86_64 syscall=kill success=no exit=EACCES a0=a74 a1=9 a2=1 a3=0 items=0 ppid=2674 pid=2675 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=system-config-k exe=/usr/bin/python2.7 subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null)
:Hash: system-config-k,kdumpgui_t,kdumpgui_t,process,sigkill
:#============= kdumpgui_t ==============
:allow kdumpgui_t self:process sigkill;
:audit2allow -R
:#============= kdumpgui_t ==============
:allow kdumpgui_t self:process sigkill;
Comment 1 Adam Joseph Cook 2012-10-07 17:50:41 EDT
Created attachment 623159 [details]
File: type
Comment 2 Adam Joseph Cook 2012-10-07 17:50:42 EDT
Created attachment 623160 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-10-08 04:44:55 EDT
what were you doing with s-c-kdump to get all these AVC msgs?

Bugs: 863867,863868,863869,863870,863873,863865 and 863875

#============= kdumpgui_t ==============
allow kdumpgui_t xdm_etc_t:dir getattr;

allow kdumpgui_t self:capability { dac_read_search dac_override };
allow kdumpgui_t shadow_t:file getattr;

allow kdumpgui_t urandom_device_t:chr_file read;

allow kdumpgui_t self:capability sys_nice;
allow kdumpgui_t self:process setsched;

allow kdumpgui_t mysqld_etc_t:file read;
allow kdumpgui_t sysctl_net_t:dir search;

I don't see them.
Comment 4 Miroslav Grepl 2012-10-08 04:45:09 EDT
*** Bug 863867 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2012-10-08 04:45:14 EDT
*** Bug 863868 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2012-10-08 04:45:21 EDT
*** Bug 863869 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2012-10-08 04:45:34 EDT
*** Bug 863873 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2012-10-08 04:45:40 EDT
*** Bug 863865 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Grepl 2012-10-08 04:45:45 EDT
*** Bug 863875 has been marked as a duplicate of this bug. ***
Comment 10 Adam Joseph Cook 2012-10-08 05:09:54 EDT
SELinux threw this issue every time I simply start system-config-kdump. I do not even get a chance to do anything within the GUI.
Comment 11 Miroslav Grepl 2012-10-08 05:36:01 EDT
any idea? Any chance you also get them?
Comment 12 Roman Rakus 2012-10-08 06:39:56 EDT
I wasn't able to install F18 so far, but will try it again.
Comment 13 Roman Rakus 2012-10-08 07:55:44 EDT
ok, now I have it running.
I don't have any idea why is python trying to sigkill anything. Maybe it is some consequences of other denies.
I also see the following deny:
type=AVC msg=audit(1349696729.914:181): avc:  denied  { getattr } for  pid=4053 comm="chkconfig" path="/usr/lib/systemd/systemd" dev="vda3" ino=260011 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1349696729.914:181): arch=c000003e syscall=6 success=no exit=-13 a0=1597410 a1=7fffe239d340 a2=7fffe239d340 a3=1000 items=0 ppid=3892 pid=4053 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chkconfig" exe="/usr/sbin/chkconfig" subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null)

s-c-kdump is using chkconfig.
Comment 14 Roman Rakus 2012-10-08 08:09:57 EDT
The other denies (which I don't get) seems to be some kind of problem with starting python. I can see one similar:
type=AVC msg=audit(1349697557.379:185): avc:  denied  { ioctl } for  pid=4122 comm="system-config-k" path="/dev/urandom" dev="devtmpfs" ino=4507 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1349697557.379:185): arch=c000003e syscall=16 success=no exit=-22 a0=8 a1=5401 a2=7fff891a0de0 a3=238 items=0 ppid=4121 pid=4122 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-k" exe="/usr/bin/python2.7" subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null)
Comment 15 Daniel Walsh 2012-10-08 08:44:11 EDT
Does kdumpgui run netstat?
Comment 16 Roman Rakus 2012-10-08 11:03:25 EDT
Comment 17 Daniel Walsh 2012-10-09 12:11:51 EDT
I know there used to be a library of mozilla? That used to exec netstat to generate randomness.
Comment 18 Roman Rakus 2012-10-10 07:35:16 EDT
But s-c-kdump has nothing to do with mozilla anyway.
When I'm trying s-c-kdump I'm not getting such deny.
Comment 19 Daniel Walsh 2012-10-10 08:39:45 EDT
I am talking about the NSS crypto libraries.
Comment 20 Adam Joseph Cook 2012-10-10 21:37:54 EDT
@Roman I suppose that it is strange that you are not getting this denial on your system. I am still getting it upon starting system-config-kdump in the terminal even after several days of updates. Is there any additional information from my system that I can provide to help.
Comment 21 Daniel Walsh 2012-10-11 22:57:02 EDT

rpm -q selinux-policy

ausearch -m avc -ts recent
Comment 22 Adam Joseph Cook 2012-10-15 23:16:19 EDT
Sorry it took so long to respond to this bug. I just tonight re-installed and updated fully Fedora 18 on the system in question. Without doing much, I installed system-config-kdump and ran it. Again, I was presented with several SELinux denials. One is on /usr/bin/python2.7, the others are on /usr/sbin/grubby. I thought perhaps some of the previous test day work was effecting this issue falsely. Apparently, this is not the case.

@Daniel Walsh, per your request above.

# rpm -q selinux-policy

# ausearch -m avc -ts recent
(Please see my new attachment to this bug report.)

Since I am rather new on the scene, I will just ask the question. Should I open new bug reports on the 'grubby' denials shown?
Comment 23 Adam Joseph Cook 2012-10-15 23:17:26 EDT
Created attachment 627924 [details]
Output of ausearch -m avc -ts recent directly after s-c-kdump SELinux denials
Comment 24 Fedora End Of Life 2013-12-21 04:03:59 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 26 Fedora End Of Life 2014-02-05 07:29:18 EST
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.