Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1035683

Summary: SELinux prevents yum running as sosreport_t to unlink pid file
Product: Red Hat Enterprise Linux 7 Reporter: Michal Trunecka <mtruneck>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: ebenes, jprokes, ljozsa, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-106.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:53:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 782468    

Description Michal Trunecka 2013-11-28 09:56:07 UTC 
Description of problem:

If you believe that python2.7 should be allowed unlink access on the yum.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sosreport_t:s0-s0:c0.c1023
Target Context                system_u:object_r:rpm_var_run_t:s0
Target Objects                yum.pid [ file ]
Source                        yum
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           python-2.7.5-10.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-103.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel7
Platform                      Linux rhel7 3.10.0-54.el7.x86_64 #1 SMP Thu Nov 21
                              15:34:15 EST 2013 x86_64 x86_64
Alert Count                   1212
First Seen                    2013-11-27 16:16:11 GMT
Last Seen                     2013-11-28 09:50:05 GMT
Local ID                      a73a1890-a53a-4430-a354-86608508f6be

Raw Audit Messages
type=AVC msg=audit(1385632205.171:108246747): avc:  denied  { unlink } for  pid=31417 comm="yum" name="yum.pid" dev="tmpfs" ino=623956 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1385632205.171:108246747): arch=x86_64 syscall=unlink success=no exit=EACCES a0=2e034f0 a1=1 a2=3703dbbf88 a3=0 items=0 ppid=31416 pid=31417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=yum exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-103.el7.noarch

How reproducible:
Comment 1 Miroslav Grepl 2013-11-28 12:05:30 UTC 
I guess we will end up with

optional_policy(`
   rpm_domtrans(sosreport_t)
')

optional_policy(`
   unconfined_domain(sosreport_t)
')


Do you get more AVC msgs in permissive mode?
Comment 2 Milos Malik 2013-11-28 12:54:02 UTC 
# rpm -qa selinux-policy\*
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
#

Following message appeared at least ten times:
----
type=SYSCALL msg=audit(11/28/2013 13:45:55.473:1116) : arch=x86_64 syscall=setpgid success=no exit=-13(Permission denied) a0=0x0 a1=0x0 a2=0x7fff393a1eb1 a3=0x32509bbc8c items=0 ppid=6390 pid=11209 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=timeout exe=/usr/bin/timeout subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/28/2013 13:45:55.473:1116) : avc:  denied  { setpgid } for  pid=11209 comm=timeout scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=process 
----

Following messages appeared once:
----
type=PATH msg=audit(11/28/2013 13:45:50.168:1081) : item=1 name=/var/log/up2date objtype=CREATE 
type=PATH msg=audit(11/28/2013 13:45:50.168:1081) : item=0 name=/var/log/ inode=16818314 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT 
type=CWD msg=audit(11/28/2013 13:45:50.168:1081) :  cwd=/var/tmp/abrt/Python-2013-11-28-13:44:59-6326 
type=SYSCALL msg=audit(11/28/2013 13:45:50.168:1081) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x2301a60 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x22f99e0 items=2 ppid=7117 pid=7118 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/28/2013 13:45:50.168:1081) : avc:  denied  { write } for  pid=7118 comm=python name=log dev="vda3" ino=16818314 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir 
----
type=PATH msg=audit(11/28/2013 13:45:56.035:1117) : item=1 name=/var/cache/yum/x86_64/7Server objtype=CREATE 
type=PATH msg=audit(11/28/2013 13:45:56.035:1117) : item=0 name=/var/cache/yum/x86_64/ inode=8910782 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:rpm_var_cache_t:s0 objtype=PARENT 
type=CWD msg=audit(11/28/2013 13:45:56.035:1117) :  cwd=/var/tmp/abrt/Python-2013-11-28-13:44:59-6326 
type=SYSCALL msg=audit(11/28/2013 13:45:56.035:1117) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x21981f0 a1=0755 a2=0x3255dbbf88 a3=0x0 items=2 ppid=11209 pid=11219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=yum exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/28/2013 13:45:56.035:1117) : avc:  denied  { write } for  pid=11219 comm=yum name=x86_64 dev="vda3" ino=8910782 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir 
----
Comment 3 Miroslav Grepl 2013-11-29 10:23:09 UTC 
commit 90b623bb27b22e1b04617463f7c866af50e4787f
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 29 11:21:15 2013 +0100

    Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT policy for sosreport running as abrt_t
Comment 4 Miroslav Grepl 2013-11-29 10:27:59 UTC 
*** Bug 1033559 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2013-12-03 18:26:39 UTC 
*** Bug 1037732 has been marked as a duplicate of this bug. ***
Comment 8 Ludek Smid 2014-06-13 09:53:57 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.