Bug 866286
| Summary: | SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Claudiomar Rodrigues <claudiomar.costa> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | artavorel, bugzilla_rhn, devonjanitz, dominick.grift, dwalsh, e_zandanov, fedora.jrg01, gillesg06, Hans-Dieter, jan.public, jorti, jpopelka, jsimosa, lesjj10, levi.policarpio, mail, mario.kothe, metal3d, mgrepl, mishu, nicolas.gif, nonothetom, olivares14031, rich_pitts, roman, subscribed-lists, travis.mallet, twaugh, vondruch | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:d31b727560eb3d44642f0b62e43312251f0f9c0eb38c461ec8141b0955d96772 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-12-20 16:29:03 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 627168 [details]
File: type
Created attachment 627169 [details]
File: hashmarkername
allow $1 self:capability sys_nice; allow $1 self:process setsched; It looks more and more domains want to add this access. /* Allow raising priority and setting priority on other (different UID) processes */ /* Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process. */ /* Allow setting cpu affinity on other processes */ I wonder which one of these would cause it? Tim, any idea? No, I can't see what could cause that. Claudiomar: what does 'rpm -q hplip' say? The alert happens a soon as the printer has been powered up. I had not seen this before and as I dont use the printer much so I cannot say which updates caused this. HP Deskjet F4500 series printer Package: (null) OS Release: Fedora release 17 (Beefy Miracle) (In reply to comment #6) > No, I can't see what could cause that. > > Claudiomar: what does 'rpm -q hplip' say? On this box I have hplip-3.12.9-6.fc17.x86_64 I was trying to add a printer. Package: (null) OS Release: Fedora release 18 (Spherical Cow) ]$ rpm -q hplip hplip-3.12.10-4.a.fc18.x86_64 Actually this is clear. syscall=sched_setscheduler Added to F17. Machine was brought bacj from sleep no idea how this happened https://bugzilla.redhat.com/show_bug.cgi?id=865603 is applied Package: (null) OS Release: Fedora release 17 (Beefy Miracle) I am installing a SMB printer with system-config-printer Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Mihai was your machine in enforcing mode? Was it successful? Yes, I was in enforcing mode and the printer was installed successfully. I think we should dontaudit this. Tried to setup a printer in the KDE System Settings Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Returning from sleep... came up after accessing kwallet Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Added. I installed a fresh Fedora 17. I copied the /home folder of the old system (Fedora 16) to the new disk. I ran rdiff-backup. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) This error occured when plugging a Brother HL-5150D rinter in to a USB port. Package: (null) Architecture: i686 OS Release: Fedora release 17 (Beefy Miracle) This happens every time I access cups; localhost:631 Package: (null) Architecture: i686 OS Release: Fedora release 17 (Beefy Miracle) The error occurs right now after the login. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Third error, hplip error... tried to setup a wireless printer and... crash Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Correcting component and clearing needinfo flag. selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17 Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback). Works here. Can not say if the patch works. To many other things in KDE 4.9 in Fedora are broken to test it. I am not able to start the printer install. Printer install stops with the error "The service 'Printer Configuration' does not provide an interface 'KCModule'...... Reinstalling the mentioned packages does nothing. Not related to this bug but amarok is broken too. But thats another story. So far the experience with Fedora 17 is horrible to say the least. selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
Additional info: libreport version: 2.0.16 kernel: 3.6.1-1.fc17.x86_64 description: :SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities. : :***** Plugin catchall (100. confidence) suggests *************************** : :If você acredita que o python2.7 deva ser permitido a capacidade de sys_nice por default. :Then você precisa reportar este como um erro. :Você pode gerar um módulo de política local para permitir este acesso. :Do :permitir este acesso agora executando: :# grep hpfax /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:hplip_t:s0-s0:c0.c1023 :Target Context system_u:system_r:hplip_t:s0-s0:c0.c1023 :Target Objects [ capability ] :Source hpfax :Source Path /usr/bin/python2.7 :Port <Desconhecido> :Host (removed) :Source RPM Packages python-2.7.3-7.2.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-153.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.6.1-1.fc17.x86_64 #1 SMP Wed Oct : 10 12:13:05 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2012-10-14 14:58:24 BRT :Last Seen 2012-10-14 14:58:24 BRT :Local ID 56f6829a-7764-4045-970d-54fb1e364e36 : :Raw Audit Messages :type=AVC msg=audit(1350237504.314:113): avc: denied { sys_nice } for pid=10280 comm="hpfax" capability=23 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=capability : : :type=AVC msg=audit(1350237504.314:113): avc: denied { setsched } for pid=10280 comm="hpfax" scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=process : : :type=SYSCALL msg=audit(1350237504.314:113): arch=x86_64 syscall=sched_setscheduler success=yes exit=0 a0=2828 a1=0 a2=7fffe1afcf60 a3=1 items=0 ppid=10276 pid=10280 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hpfax exe=/usr/bin/python2.7 subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) : :Hash: hpfax,hplip_t,hplip_t,capability,sys_nice : :audit2allow : :#============= hplip_t ============== :allow hplip_t self:capability sys_nice; :allow hplip_t self:process setsched; : :audit2allow -R : :#============= hplip_t ============== :allow hplip_t self:capability sys_nice; :allow hplip_t self:process setsched; :