Bug 909445
| Summary: | SELinux is preventing /usr/bin/python2.7 from 'write' accesses on the directory /tmp. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Heiko Adams <bugzilla> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | alonbl, bblaskov, dominick.grift, dsboger, dwalsh, gregor, i.grok, jbrooks, jeder, jskarvad, mgrepl, timur.kristof |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:e95101223f918b02d1a5fd7a8a4257717375f5520e1ba287a43591ef64cdde9a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-18 06:56:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Did you setup tuned to write content to /tmp or was it doing this by default? No, I didn't change anything on tuned. This was caused after the latest tuned update. stops tuned from working Package: (null) OS Release: Fedora release 18 (Spherical Cow) I was trying to start the tuned daemon by issuing "systemctl start tuned" and it failed. At the same time, this SELinux alert popped up. Package: (null) OS Release: Fedora release 18 (Spherical Cow) I tried to run # sudo service tuned start and got the following error: Job for tuned.service failed. See 'systemctl status tuned.service' and 'journalctl -xn' for details. a little later, the SELinux problem resolution opened. Package: (null) OS Release: Fedora release 18 (Spherical Cow) # yum install tuned # service tuned start Package: (null) Architecture: i686 OS Release: Fedora release 18 (Spherical Cow) Jaroslav, so does tuned use /tmp dir? (In reply to comment #7) > Jaroslav, > so does tuned use /tmp dir? Sorry for the previous report, it was auto reported :) tuned-2.2.0-1 uses pyudev which calls find_library to find udev library. The find_library check contains: File "/usr/lib/python2.7/ctypes/util.py", line 215, in find_library return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name)) Both checks fails. The first check use ldconfig and fails: type=AVC msg=audit(1360585533.419:186): avc: denied { execute } for pid=9676 comm="sh" name="ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file The second fallback check tries to link libudev with gcc. It requires temp file for this and the creation of temp file fails, the code: File "/usr/lib/python2.7/ctypes/util.py", line 93, in _findLib_gcc fdout, ccout = tempfile.mkstemp() File "/usr/lib/python2.7/tempfile.py", line 293, in mkstemp dir = gettempdir() File "/usr/lib/python2.7/tempfile.py", line 261, in gettempdir tempdir = _get_default_tempdir() File "/usr/lib/python2.7/tempfile.py", line 208, in _get_default_tempdir ("No usable temporary directory found in %s" % dirlist)) IOError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/'] Other AVCs captured in permissive mode:
type=AVC msg=audit(1360588296.510:206): avc: denied { execute } for pid=9987 comm="sh" name="ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1360588296.510:206): avc: denied { read open } for pid=9987 comm="sh" path="/usr/sbin/ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1360588296.510:206): avc: denied { execute_no_trans } for pid=9987 comm="sh" path="/usr/sbin/ldconfig" dev="dm-1" ino=1708526 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1360588296.510:206): arch=40000003 syscall=11 success=yes exit=0 a0=8fb3ef8 a1=8fb3f78 a2=8fb3538 a3=8fb3f78 items=0 ppid=9986 pid=9987 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1360588296.531:207): avc: denied { create } for pid=9985 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket
type=SYSCALL msg=audit(1360588296.531:207): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfb47130 a2=444a3e50 a3=93bb6c0 items=0 ppid=1 pid=9985 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1360588296.588:208): avc: denied { setopt } for pid=9993 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket
type=SYSCALL msg=audit(1360588296.588:208): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b66fc610 a2=444a3e50 a3=30 items=0 ppid=1 pid=9993 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1360588296.588:209): avc: denied { bind } for pid=9994 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket
type=SYSCALL msg=audit(1360588296.588:209): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=b5cfe5d0 a2=444a3e50 a3=93bb6c0 items=0 ppid=1 pid=9994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1360588296.588:210): avc: denied { getattr } for pid=9994 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=netlink_kobject_uevent_socket
type=SYSCALL msg=audit(1360588296.588:210): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=b5cfe5d0 a2=444a3e50 a3=93bb6c0 items=0 ppid=1 pid=9994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null)
I hit this same issue today while testing ovirt 3.2 beta on Fedora 18 -- current tuned won't start w/ selinux in enforcing mode, and this blocks ovirt host deployment. I could get around the issue either by downgrading to tuned-2.0.1-4 or by putting selinux into permissive mode. I am adding more fixes. selinux-policy-3.11.1-78.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-78.fc18 Package selinux-policy-3.11.1-78.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-78.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-2588/selinux-policy-3.11.1-78.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-78.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 922216 has been marked as a duplicate of this bug. *** |
Description of problem: SELinux is preventing /usr/bin/python2.7 from 'write' accesses on the directory /tmp. ***** Plugin catchall (100. confidence) suggests *************************** If sie denken, dass es python2.7 standardmässig erlaubt sein sollte, write Zugriff auf tmp directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep tuned /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:tuned_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ dir ] Source tuned Source Path /usr/bin/python2.7 Port <Unknown> Host (removed) Source RPM Packages python-2.7.3-13.fc18.x86_64 Target RPM Packages filesystem-3.1-2.fc18.x86_64 Policy RPM selinux-policy-3.11.1-74.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.6-201.fc18.x86_64 #1 SMP Mon Feb 4 15:54:08 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-02-08 19:58:33 CET Last Seen 2013-02-08 20:02:57 CET Local ID 2fdddee3-113b-4aca-8a84-ef06f8f22385 Raw Audit Messages type=AVC msg=audit(1360350177.262:98): avc: denied { write } for pid=711 comm="tuned" name="/" dev="tmpfs" ino=11454 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1360350177.262:98): arch=x86_64 syscall=open success=no exit=EACCES a0=12dacf0 a1=200c2 a2=180 a3=20 items=0 ppid=1 pid=711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=tuned exe=/usr/bin/python2.7 subj=system_u:system_r:tuned_t:s0 key=(null) Hash: tuned,tuned_t,tmp_t,dir,write audit2allow #============= tuned_t ============== #!!!! The source type 'tuned_t' can write to a 'dir' of the following types: # tuned_etc_t, tuned_log_t, var_log_t, var_run_t, tuned_var_run_t, sysctl_vm_t, etc_t allow tuned_t tmp_t:dir write; audit2allow -R #============= tuned_t ============== #!!!! The source type 'tuned_t' can write to a 'dir' of the following types: # tuned_etc_t, tuned_log_t, var_log_t, var_run_t, tuned_var_run_t, sysctl_vm_t, etc_t allow tuned_t tmp_t:dir write; Additional info: hashmarkername: setroubleshoot kernel: 3.7.6-201.fc18.x86_64 type: libreport