1103042 – SELinux is preventing /usr/bin/python "search" access on /root/.local.

Bug 1103042 - SELinux is preventing /usr/bin/python "search" access on /root/.local.

Summary: SELinux is preventing /usr/bin/python "search" access on /root/.local.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:dec548f1c8e...
Depends On:	573181
Blocks:	1103135
TreeView+	depends on / blocked

Reported:	2014-05-30 06:32 UTC by Jan Pazdziora (Red Hat)
Modified:	2014-09-08 15:39 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.12.1-171.fc20
Clone Of:	573181
Clones:	1103135 (view as bug list)
Environment:
Last Closed:	2014-06-26 01:53:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora (Red Hat) 2014-05-30 06:32:28 UTC

+++ This bug was initially created as a clone of Bug #573181 +++


Summary:

SELinux is preventing /usr/bin/python "search" access on /root/.local.

Detailed Description:

SELinux denied access requested by cobblerd. It is not expected that this access
is required by cobblerd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:cobblerd_t:s0
Target Context                system_u:object_r:gconf_home_t:s0
Target Objects                /root/.local [ dir ]
Source                        cobblerd
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.2-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-99.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.9-70.fc12.i686.PAE #1 SMP Wed Mar 3
                              04:57:21 UTC 2010 i686 athlon
Alert Count                   1
First Seen                    Sat 13 Mar 2010 09:49:58 AM EET
Last Seen                     Sat 13 Mar 2010 09:49:58 AM EET
Local ID                      9677c33d-a5ac-4f00-9703-13bb7c132a64
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1268466598.277:12): avc:  denied  { search } for  pid=1558 comm="cobblerd" name=".local" dev=dm-0 ino=82028 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1268466598.277:12): arch=40000003 syscall=195 success=no exit=-2 a0=8c5d638 a1=bff7930c a2=977ff4 a3=8c5d638 items=0 ppid=1556 pid=1558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null)



Hash String generated from  catchall,cobblerd,cobblerd_t,gconf_home_t,dir,search
audit2allow suggests:

#============= cobblerd_t ==============
allow cobblerd_t gconf_home_t:dir search;

Comment 1 Jan Pazdziora (Red Hat) 2014-05-30 06:33:14 UTC

The issue seems to be back in Fedora 20:

type=SYSCALL msg=audit(1401361477.476:202): arch=c000003e syscall=4 success=no exit=-13 a0=1e97310 a1=7fff35385580 a2=7fff35385580 a3=0 items=0 ppid=1 pid=18286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="osa-dispatcher" exe="/usr/bin/python2.7" subj=system_u:system_r:osa_dispatcher_t:s0 key=(null)
type=AVC msg=audit(1401361477.476:202): avc:  denied  { search } for  pid=18286 comm="osa-dispatcher" name=".local" dev="dm-0" ino=262158 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir

type=SYSCALL msg=audit(1401361534.406:209): arch=c000003e syscall=4 success=no exit=-13 a0=168e310 a1=7fff13edf7e0 a2=7fff13edf7e0 a3=0 items=0 ppid=1 pid=18967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1401361534.406:209): avc:  denied  { search } for  pid=18967 comm="cobblerd" name=".local" dev="dm-0" ino=262158 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir

# find /root -inum 262158
/root/.local

Comment 3 Miroslav Grepl 2014-05-30 10:51:03 UTC

This is more bug in these apps. Adding fixes to the policy for cobbler.te. 

diff --git a/cobbler.te b/cobbler.te
index e01156f..1543aec 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -194,6 +194,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+    gnome_dontaudit_search_config(cobblerd_t)
+')


We don't ship the osa_dispatcher policy.

Comment 4 Jan Pazdziora (Red Hat) 2014-05-30 11:09:14 UTC

(In reply to Miroslav Grepl from comment #3)
> This is more bug in these apps. Adding fixes to the policy for cobbler.te. 

So what are those applications doing wrong that this happens?

Comment 5 Miroslav Grepl 2014-06-06 15:37:29 UTC

(In reply to Jan Pazdziora from comment #4)
> (In reply to Miroslav Grepl from comment #3)
> > This is more bug in these apps. Adding fixes to the policy for cobbler.te. 
> 
> So what are those applications doing wrong that this happens?

-E     Ignore environment variables like  PYTHONPATH  and  PYTHONHOME  that
       modify the behavior of the interpreter.

-s     Don't add user site directory to sys.path

Comment 6 Jan Pazdziora (Red Hat) 2014-06-09 13:17:27 UTC

Thanks. Two questions:

1) shouldn't we revert that

   gnome_dontaudit_search_config(cobblerd_t)

and ask cobbler packager to do the -s?

2) Why don't I see that AVC denial in Permissive?

Comment 7 Jan Pazdziora (Red Hat) 2014-06-09 13:17:39 UTC

Thanks. Two questions:

1) shouldn't we revert that

   gnome_dontaudit_search_config(cobblerd_t)

and ask cobbler packager to do the -s?

2) Why don't I see that AVC denial in Permissive?

Comment 8 Jan Pazdziora (Red Hat) 2014-06-09 13:18:42 UTC

For the record, related osa-dispatcher bugzilla 1103135.

Comment 9 Fedora Update System 2014-06-09 20:09:15 UTC

selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20

Comment 10 Fedora Update System 2014-06-11 16:25:28 UTC

Package selinux-policy-3.12.1-167.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20
then log in and leave karma (feedback).

Comment 11 Jan Pazdziora (Red Hat) 2014-06-17 08:55:10 UTC

(In reply to Jan Pazdziora from comment #6)
> Thanks. Two questions:
> 
> 1) shouldn't we revert that
> 
>    gnome_dontaudit_search_config(cobblerd_t)
> 
> and ask cobbler packager to do the -s?

In fact, my Spacewalk installation used cobbler20, packaged by the Spacewalk project, so possibly with stock cobbler package in Fedora, the problem isn't there at all.

Could you please revert the policy change?

Comment 12 Lukas Vrabec 2014-06-17 09:05:08 UTC

commit 6b19382ed24fe08f74eaf73304ab381d1909e3fa
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 17 11:04:32 2014 +0200

    Revert gnome_dontaudit_search_config in cobbler policy

Reverted.

Comment 13 Fedora Update System 2014-06-19 13:18:51 UTC

selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20

Comment 14 Fedora Update System 2014-06-19 22:53:03 UTC

Package selinux-policy-3.12.1-171.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2014-06-26 01:53:42 UTC

selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.