1103135 – SELinux is preventing /usr/bin/python "search" access on /root/.local.

Bug 1103135 - SELinux is preventing /usr/bin/python "search" access on /root/.local.

Summary: SELinux is preventing /usr/bin/python "search" access on /root/.local.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Server
Sub Component:
Version:	2.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Milan Zázrivec
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:dec548f1c8e...
Depends On:	573181 1103042
Blocks:	space22 space23
TreeView+	depends on / blocked

Reported:	2014-05-30 11:10 UTC by Jan Pazdziora (Red Hat)
Modified:	2015-04-14 19:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:	1103042
Environment:
Last Closed:	2014-07-17 08:41:45 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Pazdziora (Red Hat) 2014-05-30 11:10:03 UTC

+++ This bug was initially created as a clone of Bug #1103042 +++

+++ This bug was initially created as a clone of Bug #573181 +++


Summary:

SELinux is preventing /usr/bin/python "search" access on /root/.local.

Detailed Description:

SELinux denied access requested by cobblerd. It is not expected that this access
is required by cobblerd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:cobblerd_t:s0
Target Context                system_u:object_r:gconf_home_t:s0
Target Objects                /root/.local [ dir ]
Source                        cobblerd
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.2-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-99.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.9-70.fc12.i686.PAE #1 SMP Wed Mar 3
                              04:57:21 UTC 2010 i686 athlon
Alert Count                   1
First Seen                    Sat 13 Mar 2010 09:49:58 AM EET
Last Seen                     Sat 13 Mar 2010 09:49:58 AM EET
Local ID                      9677c33d-a5ac-4f00-9703-13bb7c132a64
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1268466598.277:12): avc:  denied  { search } for  pid=1558 comm="cobblerd" name=".local" dev=dm-0 ino=82028 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1268466598.277:12): arch=40000003 syscall=195 success=no exit=-2 a0=8c5d638 a1=bff7930c a2=977ff4 a3=8c5d638 items=0 ppid=1556 pid=1558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python" subj=system_u:system_r:cobblerd_t:s0 key=(null)



Hash String generated from  catchall,cobblerd,cobblerd_t,gconf_home_t,dir,search
audit2allow suggests:

#============= cobblerd_t ==============
allow cobblerd_t gconf_home_t:dir search;

--- Additional comment from Jan Pazdziora on 2014-05-30 08:33:14 CEST ---

The issue seems to be back in Fedora 20:

type=SYSCALL msg=audit(1401361477.476:202): arch=c000003e syscall=4 success=no exit=-13 a0=1e97310 a1=7fff35385580 a2=7fff35385580 a3=0 items=0 ppid=1 pid=18286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="osa-dispatcher" exe="/usr/bin/python2.7" subj=system_u:system_r:osa_dispatcher_t:s0 key=(null)
type=AVC msg=audit(1401361477.476:202): avc:  denied  { search } for  pid=18286 comm="osa-dispatcher" name=".local" dev="dm-0" ino=262158 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir

type=SYSCALL msg=audit(1401361534.406:209): arch=c000003e syscall=4 success=no exit=-13 a0=168e310 a1=7fff13edf7e0 a2=7fff13edf7e0 a3=0 items=0 ppid=1 pid=18967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cobblerd" exe="/usr/bin/python2.7" subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=AVC msg=audit(1401361534.406:209): avc:  denied  { search } for  pid=18967 comm="cobblerd" name=".local" dev="dm-0" ino=262158 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir

# find /root -inum 262158
/root/.local

--- Additional comment from Miroslav Grepl on 2014-05-30 12:51:03 CEST ---

This is more bug in these apps. Adding fixes to the policy for cobbler.te. 

diff --git a/cobbler.te b/cobbler.te
index e01156f..1543aec 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -194,6 +194,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+    gnome_dontaudit_search_config(cobblerd_t)
+')


We don't ship the osa_dispatcher policy.

--- Additional comment from Jan Pazdziora on 2014-05-30 13:09:14 CEST ---

(In reply to Miroslav Grepl from comment #3)
> This is more bug in these apps. Adding fixes to the policy for cobbler.te. 

So what are those applications doing wrong that this happens?

Comment 2 Jan Pazdziora (Red Hat) 2014-05-30 11:11:39 UTC

> --- Additional comment from Miroslav Grepl on 2014-05-30 12:51:03 CEST ---
> We don't ship the osa_dispatcher policy.

Miroslav is right. Either osa-dispatcher-selinux should be fixed, or the application stopped from searching /root.

Comment 3 Milan Zázrivec 2014-06-09 12:25:10 UTC

spacewalk.git master: 345b0b0a0e088b5cc3ac0ee6c813937946dabc6d

Comment 4 Jan Pazdziora (Red Hat) 2014-06-09 13:15:55 UTC

For the record, I was able to reproduce the AVC denial with plain python -c 1 -- SELinux needs to be in Enforcing mode.

Comment 5 Jan Pazdziora (Red Hat) 2014-06-09 13:18:51 UTC

For the record, related cobblerd bugzilla 1103135.

Comment 6 Jan Pazdziora (Red Hat) 2014-06-11 15:05:51 UTC

The cobblerd_t issue is with Spacewalk-provided

# rpm -qa 'cobbler*'
cobbler20-2.0.11-22.fc20.noarch
cobbler2-2.0.11-22.fc20.noarch

so it should be fixed in Spacewalk repo as well.

Comment 7 Milan Zázrivec 2014-07-17 08:41:45 UTC

Spacewalk 2.2 has been released:

    https://fedorahosted.org/spacewalk/wiki/ReleaseNotes22

Note You need to log in before you can comment on or make changes to this bug.