Bug 870545
| Summary: | SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory /var/tmp. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mihai Harpau <mishu> | ||||||
| Component: | abrt | Assignee: | Richard Marko <rmarko> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | abrt-devel-list, dominick.grift, dvlasenk, dwalsh, fweimer, iprikryl, jberan, jfilak, jkaluza, jmoskovc, jskarvad, mgrepl, mmilata, mtoman, pknirsch, rmarko, rvokal, tsmetana, twoerner | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:bb462cf7afcc71545497a8ca0962d0451e2ab979b7d5f2c8fd792873847622c7 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-08-01 09:54:51 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 634023 [details]
File: type
Created attachment 634024 [details]
File: hashmarkername
Why is tuned listing /var/tmp? This relates with setsched/sys_nice which we added for services. Not sure what you mean? How does setsched/sys_nice relate to listing /var/tmp? (In reply to comment #3) > Why is tuned listing /var/tmp? It shouldn't do that, I cannot find it in the code, maybe side effect of some other command run from the tuned. Also I am unable to reproduce this. I tried to start tuned using "sudo service tuned start". Package: (null) OS Release: Fedora release 17 (Beefy Miracle) (In reply to comment #7) > I tried to start tuned using "sudo service tuned start". > > Package: (null) > OS Release: Fedora release 17 (Beefy Miracle) Also no problem on my machine (user in wheel group). What profile are you using? # tuned-adm active What version of tuned? # rpm -q tuned This is caused by the abrt Python plugin, which loads the Python "rpm" module, which loads the RPM library, which initializes NSS, which touches /var/tmp:
#2 _IO_new_file_fopen (fp=fp@entry=0x721d00, filename=filename@entry=0x7ffff6bf15fa "/var/tmp",
mode=<optimized out>, mode@entry=0x7ffff6c0593d "r", is32not64=is32not64@entry=1) at fileops.c:345
#3 0x00000031f4a6bb56 in __fopen_internal (filename=0x7ffff6bf15fa "/var/tmp", mode=0x7ffff6c0593d "r", is32=1)
at ../libio/iofopen.c:93
#4 0x00007ffff6bb2db7 in RNG_FileUpdate (fileName=0x7ffff6bf15fa "/var/tmp", limit=limit@entry=1000000)
at unix_rand.c:1014
#5 0x00007ffff6bb2eaa in RNG_FileForRNG (fileName=<optimized out>) at unix_rand.c:1043
#6 0x00007ffff6bb2fa9 in RNG_SystemInfoForRNG () at unix_rand.c:943
#7 0x00007ffff6bc33d3 in rng_init () at drbg.c:464
#8 rng_init () at drbg.c:412
#9 0x0000003249a1b39a in PR_CallOnce (once=0x7ffff6e0d3a0, func=<optimized out>)
at ../../../mozilla/nsprpub/pr/src/misc/prinit.c:775
#10 0x00007ffff6bc2867 in RNG_RNGInit () at drbg.c:508
#11 0x0000003811c1202b in nsc_CommonInitialize (pReserved=pReserved@entry=0x7ffffffef660, isFIPS=isFIPS@entry=0)
at pkcs11.c:2759
#12 0x0000003811c124ca in NSC_Initialize (pReserved=0x7ffffffef660) at pkcs11.c:2887
#13 NSC_Initialize (pReserved=0x7ffffffef660) at pkcs11.c:2878
#14 0x000000381243e41b in secmod_ModuleInit (mod=mod@entry=0x71b620, reload=reload@entry=0x7ffffffef7b8,
alreadyLoaded=alreadyLoaded@entry=0x7ffffffef6e4) at pk11load.c:252
#15 0x000000381243ea5b in secmod_LoadPKCS11Module (mod=mod@entry=0x71b620, oldModule=oldModule@entry=0x7ffffffef7b8)
at pk11load.c:488
#16 0x000000381244b81d in SECMOD_LoadModule (
modulespec=modulespec@entry=0x71b2b0 "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noModDB,forceOpen,optimizeSpace updatedir='' updateCertPrefix='' upda"..., parent=parent@entry=0x71a2f0, recurse=recurse@entry=1) at pk11pars.c:1121
#17 0x000000381244b9a0 in SECMOD_LoadModule (
modulespec=modulespec@entry=0x718fe0 "name=\"NSS Internal Module\" parameters=\"configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noModDB,forceOpen,optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' upd"..., parent=parent@entry=0x0, recurse=recurse@entry=1) at pk11pars.c:1156
#18 0x000000381241ac22 in nss_InitModules (isContextInit=0, optimizeSpace=1, forceOpen=1, noModDB=1, noCertDB=1,
readOnly=1, pwRequired=<optimized out>, configStrings=0x0, configName=0x38124fbb08 "NSS Internal Module",
updateName=0x38124fc077 "", updateID=0x38124fc077 "", updKeyPrefix=0x38124fc077 "",
updCertPrefix=0x38124fc077 "", updateDir=0x38124fc077 "", secmodName=0x38124fc077 "", keyPrefix=0x38124fc077 "",
certPrefix=0x38124fc077 "", configdir=0x38124fc077 "") at nssinit.c:469
#19 nss_Init (configdir=configdir@entry=0x38124fc077 "", certPrefix=certPrefix@entry=0x38124fc077 "",
keyPrefix=keyPrefix@entry=0x38124fc077 "", secmodName=secmodName@entry=0x38124fc077 "",
updateDir=updateDir@entry=0x38124fc077 "", updCertPrefix=updCertPrefix@entry=0x38124fc077 "",
updKeyPrefix=updKeyPrefix@entry=0x38124fc077 "", updateID=updateID@entry=0x38124fc077 "",
updateName=updateName@entry=0x38124fc077 "", initContextPtr=initContextPtr@entry=0x0,
initParams=initParams@entry=0x0, readOnly=readOnly@entry=1, noCertDB=noCertDB@entry=1, noModDB=noModDB@entry=1,
forceOpen=forceOpen@entry=1, noRootInit=noRootInit@entry=1, optimizeSpace=optimizeSpace@entry=1,
noSingleThreadedModules=noSingleThreadedModules@entry=0,
allowAlreadyInitializedModules=allowAlreadyInitializedModules@entry=0,
dontFinalizeModules=dontFinalizeModules@entry=0) at nssinit.c:674
#20 0x000000381241b3f7 in NSS_NoDB_Init (configdir=configdir@entry=0x0) at nssinit.c:909
#21 0x0000003813c1683e in rpmInitCrypto () at rpmpgp.c:1642
#22 0x000000381403df67 in rpmReadConfigFiles (file=file@entry=0x0, target=target@entry=0x0) at rpmrc.c:1772
#23 0x00007ffff70286a5 in initModule (m=0x7ffff7c7e360) at rpmmodule.c:280
#24 init_rpm () at rpmmodule.c:264
#25 0x00000031f6eeffb1 in _PyImport_LoadDynamicModule () from /lib64/libpython2.7.so.1.0
Version of tuned is tuned-2.0.1-3.fc17.noarch, abrt plugin is abrt-addon-python-2.0.16-1.fc17.x86_64.
This is related to bug 871506. Lazily loading the "rpm" module will pamper over this issue, but may prevent bug reporting. Not sure if it is even possible to use abrt from a confined process, so perhaps abrt should disable itself it detects this situation?
[root@netop home]# tuned-adm active Current active profile: /usr/lib/tuned/balanced/tuned.conf [root@netop home]# rpm -q tuned tuned-2.0.1-3.fc17.noarch [mihai@netop ~]$ id mihai uid=1000(mihai) gid=1000(mihai) groups=1000(mihai),10(wheel),18(dialout) The abrt python plugin is causing weird side effects. Is is also doing a sys_nice and setrlimit? (In reply to comment #11) > The abrt python plugin is causing weird side effects. Is is also doing a > sys_nice and setrlimit? None of these. Should we do something more to avoid problems? rpm import was fixed recently (as written in bug 871506), this should resolve most of the issues. I believe all these sys_nice/setsched/tmp_t are caused by this error. AFAIK we had a similar problem where sys_nice/setsched/tmp_t was required related to NSS. Miroslav, so you believe these were all caused by the abrt plugin activating rpm? Yes. I was not sure how /tmp could be involved but now it makes sense. I believe we should remove all sys_nice/setsched rules which we have added recently. I agree. This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: I just start the tuned service Additional info: libreport version: 2.0.16 kernel: 3.6.2-4.fc17.x86_64 description: :SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory /var/tmp. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that python2.7 should be allowed read access on the tmp directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep tuned /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:tuned_t:s0 :Target Context system_u:object_r:tmp_t:s0 :Target Objects /var/tmp [ dir ] :Source tuned :Source Path /usr/bin/python2.7 :Port <Unknown> :Host (removed) :Source RPM Packages python-2.7.3-7.2.fc17.x86_64 :Target RPM Packages filesystem-3-2.fc17.x86_64 :Policy RPM selinux-policy-3.10.0-156.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.2-4.fc17.x86_64 #1 SMP Wed Oct : 17 02:43:21 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen 2012-10-26 22:28:44 EEST :Last Seen 2012-10-26 22:28:44 EEST :Local ID e6269b90-3953-4707-b5a9-dc65de7d2ef7 : :Raw Audit Messages :type=AVC msg=audit(1351279724.167:99): avc: denied { read } for pid=2976 comm="tuned" name="tmp" dev="dm-1" ino=786433 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1351279724.167:99): arch=x86_64 syscall=open success=no exit=EACCES a0=3fac242643 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=2976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tuned exe=/usr/bin/python2.7 subj=system_u:system_r:tuned_t:s0 key=(null) : :Hash: tuned,tuned_t,tmp_t,dir,read : :audit2allow : :#============= tuned_t ============== :allow tuned_t tmp_t:dir read; : :audit2allow -R : :#============= tuned_t ============== :allow tuned_t tmp_t:dir read; :