Bug 909445
Summary: | SELinux is preventing /usr/bin/python2.7 from 'write' accesses on the directory /tmp. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Heiko Adams <bugzilla> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | alonbl, bblaskov, dominick.grift, dsboger, dwalsh, gregor, i.grok, jbrooks, jeder, jskarvad, mgrepl, timur.kristof |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:e95101223f918b02d1a5fd7a8a4257717375f5520e1ba287a43591ef64cdde9a | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-18 06:56:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Heiko Adams
2013-02-08 19:51:58 UTC
Did you setup tuned to write content to /tmp or was it doing this by default? No, I didn't change anything on tuned. This was caused after the latest tuned update. stops tuned from working Package: (null) OS Release: Fedora release 18 (Spherical Cow) I was trying to start the tuned daemon by issuing "systemctl start tuned" and it failed. At the same time, this SELinux alert popped up. Package: (null) OS Release: Fedora release 18 (Spherical Cow) I tried to run # sudo service tuned start and got the following error: Job for tuned.service failed. See 'systemctl status tuned.service' and 'journalctl -xn' for details. a little later, the SELinux problem resolution opened. Package: (null) OS Release: Fedora release 18 (Spherical Cow) # yum install tuned # service tuned start Package: (null) Architecture: i686 OS Release: Fedora release 18 (Spherical Cow) Jaroslav, so does tuned use /tmp dir? (In reply to comment #7) > Jaroslav, > so does tuned use /tmp dir? Sorry for the previous report, it was auto reported :) tuned-2.2.0-1 uses pyudev which calls find_library to find udev library. The find_library check contains: File "/usr/lib/python2.7/ctypes/util.py", line 215, in find_library return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name)) Both checks fails. The first check use ldconfig and fails: type=AVC msg=audit(1360585533.419:186): avc: denied { execute } for pid=9676 comm="sh" name="ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file The second fallback check tries to link libudev with gcc. It requires temp file for this and the creation of temp file fails, the code: File "/usr/lib/python2.7/ctypes/util.py", line 93, in _findLib_gcc fdout, ccout = tempfile.mkstemp() File "/usr/lib/python2.7/tempfile.py", line 293, in mkstemp dir = gettempdir() File "/usr/lib/python2.7/tempfile.py", line 261, in gettempdir tempdir = _get_default_tempdir() File "/usr/lib/python2.7/tempfile.py", line 208, in _get_default_tempdir ("No usable temporary directory found in %s" % dirlist)) IOError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/'] Other AVCs captured in permissive mode: type=AVC msg=audit(1360588296.510:206): avc: denied { execute } for pid=9987 comm="sh" name="ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1360588296.510:206): avc: denied { read open } for pid=9987 comm="sh" path="/usr/sbin/ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1360588296.510:206): avc: denied { execute_no_trans } for pid=9987 comm="sh" path="/usr/sbin/ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1360588296.510:206): arch=40000003 syscall=11 success=yes exit=0 a0=8fb3ef8 a1=8fb3f78 a2=8fb3538 a3=8fb3f78 items=0 ppid=9986 pid=9987 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1360588296.531:207): avc: denied { create } for pid=9985 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1360588296.531:207): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfb47130 a2=444a3e50 a3=93bb6c0 items=0 ppid=1 pid=9985 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1360588296.588:208): avc: denied { setopt } for pid=9993 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1360588296.588:208): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b66fc610 a2=444a3e50 a3=30 items=0 ppid=1 pid=9993 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1360588296.588:209): avc: denied { bind } for pid=9994 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1360588296.588:209): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=b5cfe5d0 a2=444a3e50 a3=93bb6c0 items=0 ppid=1 pid=9994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1360588296.588:210): avc: denied { getattr } for pid=9994 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1360588296.588:210): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=b5cfe5d0 a2=444a3e50 a3=93bb6c0 items=0 ppid=1 pid=9994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null) I hit this same issue today while testing ovirt 3.2 beta on Fedora 18 -- current tuned won't start w/ selinux in enforcing mode, and this blocks ovirt host deployment. I could get around the issue either by downgrading to tuned-2.0.1-4 or by putting selinux into permissive mode. I am adding more fixes. selinux-policy-3.11.1-78.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-78.fc18 Package selinux-policy-3.11.1-78.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-78.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-2588/selinux-policy-3.11.1-78.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-78.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 922216 has been marked as a duplicate of this bug. *** |