Bug 1130513 - SELinux is preventing /usr/bin/python2.7 from 'connectto' accesses on the unix_stream_socket .
Summary: SELinux is preventing /usr/bin/python2.7 from 'connectto' accesses on the uni...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0ca12b54f684f47096e25aba382...
: 1130515 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-15 12:56 UTC by Moez Roy
Modified: 2014-09-09 22:24 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-183.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-09 22:24:16 UTC


Attachments (Terms of Use)

Description Moez Roy 2014-08-15 12:56:21 UTC
Description of problem:
SELinux is preventing /usr/bin/python2.7 from 'connectto' accesses on the unix_stream_socket .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed connectto access on the  unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dnssec-trigger- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:initrc_t:s0
Target Context                system_u:system_r:NetworkManager_t:s0
Target Objects                 [ unix_stream_socket ]
Source                        dnssec-trigger-
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.5-13.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-179.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.15.9-200.fc20.x86_64 #1 SMP Sat
                              Aug 9 09:02:55 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-08-15 05:29:56 PDT
Last Seen                     2014-08-15 05:29:56 PDT
Local ID                      f6a3b43f-eb12-4afb-8e5d-be03626104ea

Raw Audit Messages
type=AVC msg=audit(1408105796.242:1095): avc:  denied  { connectto } for  pid=5694 comm="dnssec-trigger-" path="/run/NetworkManager/private" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1408105796.242:1095): arch=x86_64 syscall=connect success=yes exit=0 a0=5 a1=7fff496ef0f0 a2=21 a3=7fff496eeea0 items=0 ppid=5645 pid=5694 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dnssec-trigger- exe=/usr/bin/python2.7 subj=system_u:system_r:initrc_t:s0 key=(null)

Hash: dnssec-trigger-,initrc_t,NetworkManager_t,unix_stream_socket,connectto

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.15.9-200.fc20.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2014-09-03 14:06:53 UTC
*** Bug 1130515 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2014-09-03 14:21:16 UTC
It loos you have labeling issue?

What does

# restorecon -Rv /usr/bin /usr/sbin

Comment 3 Moez Roy 2014-09-04 07:51:45 UTC
[me@h ~]$ sudo restorecon -Rv /usr/bin /usr/sbin
[sudo] password for me: 
[me@h ~]$ 

does nothing.

But just so you know I have now made it a habit to run ' sudo restorecon -R -F -v / ' after every yum update.

After yum updates if I run restorecon I can see output that it is resetting some stuff.

Comment 4 Moez Roy 2014-09-04 08:06:40 UTC
Just noticed that this is dnssec-trigger.

Please switch to updates Testing and do:

yum install dnssec-trigger

systemctl enable dnssec-triggerd.service

systemctl enable unbound.service

service unbound restart

service dnssec-triggerd restart

Comment 5 Miroslav Grepl 2014-09-04 08:18:10 UTC
You are right. We don't have a support for it.

/usr/bin/dnssec-trigger-panel 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/dnssec-trigger-panel

Comment 6 Miroslav Grepl 2014-09-04 08:22:37 UTC
Uff. Wrong binary. I see

$ ps -eZ |grep trigger
system_u:system_r:dnssec_trigger_t:s0 6637 ?   00:00:00 dnssec-triggerd

on my F21 system.

What does

# ps -efZ |grep initrc

Comment 7 Miroslav Grepl 2014-09-04 08:23:21 UTC
commit 2ad338f0cff31ea0b4200a46800331fd2f22c147
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Sep 3 16:38:42 2014 +0200

    Label /usr/sbin/unbound-control as named_exec_t (#1130510)


is fix for unbound issue.

Comment 8 Moez Roy 2014-09-04 08:36:43 UTC
(In reply to Miroslav Grepl from comment #6)
> Uff. Wrong binary. I see
> 
> $ ps -eZ |grep trigger
> system_u:system_r:dnssec_trigger_t:s0 6637 ?   00:00:00 dnssec-triggerd
> 
> on my F21 system.
> 
> What does
> 
> # ps -efZ |grep initrc

[me@h ~]$ ps -efZ | grep initrc
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 me 5296 5253  0 01:30 pts/4 00:00:00 grep --color=auto initrc
[me@h ~]$

Comment 9 Moez Roy 2014-09-04 08:38:09 UTC
(In reply to quickbooks.office from comment #8)
> (In reply to Miroslav Grepl from comment #6)
> > Uff. Wrong binary. I see
> > 
> > $ ps -eZ |grep trigger
> > system_u:system_r:dnssec_trigger_t:s0 6637 ?   00:00:00 dnssec-triggerd
> > 
> > on my F21 system.
> > 
> > What does
> > 
> > # ps -efZ |grep initrc
> 
> [me@h ~]$ ps -efZ | grep initrc
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 me 5296 5253  0 01:30
> pts/4 00:00:00 grep --color=auto initrc
> [me@h ~]$

See also https://bugzilla.redhat.com/show_bug.cgi?id=1130259#c2

Comment 10 Miroslav Grepl 2014-09-04 08:39:37 UTC
So it looks dnssec-triggerd is running with the correct labeling.

# ps -eZ |grep dnssec

Comment 11 Fedora Update System 2014-09-04 11:34:00 UTC
selinux-policy-3.12.1-183.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-183.fc20

Comment 12 Fedora Update System 2014-09-09 22:24:16 UTC
selinux-policy-3.12.1-183.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.