Bug 1198448 - SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities.
Summary: SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabi...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:8e9c796e06305dd7478d9f24c14...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-04 07:32 UTC by Heiko Adams
Modified: 2015-10-15 16:12 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-12 11:12:20 UTC
Type: ---


Attachments (Terms of Use)

Description Heiko Adams 2015-03-04 07:32:03 UTC
Description of problem:
Build blueman from git and started blueman-applet afterwards
SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If sie überprüfen wollen, ob Domäne diesen Zugriff benötigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben
Then aktivieren Sie die vollständige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut.
Do

Volle Audit-Funktion aktivieren
# auditctl -w /etc/shadow -p w
Versuchen Sie AVC zu reproduzieren. Führen Sie dann folgendes aus
# ausearch -m avc -ts recent
Falls PATH record ersichtlich ist, überprüfen Sie Eigentümer/ Berechtigungen der Datei und korrigieren Sie dies,
anderenfalls melden Sie dies an Bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If sie denken, dass python2.7 standardmäßig dac_override Berechtigung haben sollten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context                system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        python
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.8-7.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.3.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.18.7-200.fc21.x86_64 #1 SMP Wed
                              Feb 11 21:53:17 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-03-04 07:40:27 CET
Last Seen                     2015-03-04 07:40:27 CET
Local ID                      20531542-3759-454d-aa55-849a577fc1ed

Raw Audit Messages
type=AVC msg=audit(1425451227.461:498): avc:  denied  { dac_override } for  pid=2133 comm="python" capability=1  scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=capability permissive=0


type=SYSCALL msg=audit(1425451227.461:498): arch=x86_64 syscall=access success=no exit=EACCES a0=7fff23c8aa67 a1=2 a2=0 a3=7fff23c8a021 items=0 ppid=2132 pid=2133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)

Hash: python,blueman_t,blueman_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2015-03-18 09:26:59 UTC
Volle Audit-Funktion aktivieren
# auditctl -w /etc/shadow -p w
Versuchen Sie AVC zu reproduzieren. Führen Sie dann folgendes aus
# ausearch -m avc -ts recent
Falls PATH record ersichtlich ist, überprüfen Sie Eigentümer/ Berechtigungen der Datei und korrigieren Sie dies,
anderenfalls melden Sie dies an Bugzilla.

Comment 2 Heiko Adams 2015-03-19 17:36:23 UTC
I recently updated my system to Fedora 22 and the problem is no longer reproduceable there. So it seems to be fixed in fc22

Comment 3 Brian J. Murrell 2015-05-29 11:37:08 UTC
Description of problem:
Using the blueman-applet from https://admin.fedoraproject.org/updates/blueman-2.0-5.fc21.

Version-Release number of selected component:
selinux-policy-3.13.1-105.6.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.1-201.fc21.x86_64
type:           libreport

Comment 4 Darth Vader 2015-06-05 19:00:21 UTC
Description of problem:
starting blueman configuration gui but bluez daemon wasn't active

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.i686
type:           libreport

Comment 5 zafod.beeblefrox 2015-06-11 12:08:34 UTC
Description of problem:
blueman installed and started. immediately this and 3 other problems reported by selinux alert browser

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.x86_64
type:           libreport

Comment 6 Diego Perini 2015-06-21 15:08:25 UTC
Description of problem:
SELinux is preventing python from using the dac_override capability.

Plugin: catchall 
you want to allow python to have dac_override access on the Unknown capabilitySe Si pensa che python dovrebbe avere funzionalità dac_override in modo predefinito.
Si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Consentire questo accesso per il momento eseguendo:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.i686
type:           libreport

Comment 7 Dave Johansen 2015-07-07 14:42:08 UTC
Description of problem:
It happens every time I restart.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.6-200.fc21.i686
type:           libreport

Comment 8 mosquitobite82 2015-08-12 12:20:00 UTC
Description of problem:
This issue started with an error message that I got after I

installed:
- wayland
- weston
and
- cinnamon-desktop

logged out and then logged in again with:
- gnome on wayland

What happened was: 
- these error messages
- unable to use my admin-user password in the GUI package-installer
- BUT was able to use yum in the terminal with the same admin-user password
- some crazy stuff, suddenly being logged out

Version-Release number of selected component:
selinux-policy-3.13.1-105.19.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.1.4-100.fc21.x86_64
type:           libreport

Comment 9 Lukas Vrabec 2015-08-31 11:12:12 UTC
Hi, 
Please, turn on full auditing:
# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart

Reproduce this issue and attach AVCs. 

Thank you.

Comment 10 David Poulsen 2015-09-18 12:20:07 UTC
Description of problem:
After login from USB

Version-Release number of selected component:
selinux-policy-3.13.1-105.20.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.0.4-201.fc21.x86_64
type:           libreport

Comment 11 Tom Killian 2015-10-15 16:12:17 UTC
I've had this problem on an HP laptop.  After following the steps in Comment 9 I find that these changes to selinux policy fix the problem:

module myblueman 1.0;

require {
	type blueman_t;
	type configfs_t;
	type blueman_var_run_t;
	class dir write;
	class file execute;
}

#============= blueman_t ==============
# https://bugzilla.redhat.com/show_bug.cgi?id=1198448
allow blueman_t blueman_var_run_t:file execute;
allow blueman_t configfs_t:dir write;


Note You need to log in before you can comment on or make changes to this bug.