Bug 1300813 - [RHEL-7.3] avc: denied { open } for pid=12786 comm="rhsmcertd-worke"
[RHEL-7.3] avc: denied { open } for pid=12786 comm="rhsmcertd-worke"
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
ppc64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2016-01-21 14:23 EST by PaulB
Modified: 2016-02-12 03:15 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-02-12 03:15:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description PaulB 2016-01-21 14:23:21 EST
Description of problem:
 The following avc error was seen while testing with RHEL-7.2 Server ppc64: 
 avc:  denied  { open } for  pid=12786 comm="rhsmcertd-worke" path="/usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg"

Version-Release number of selected component (if applicable):
 distro: RHEL-7.2 Server ppc64
 kernel: 3.10.0-342.el7
 selinux-policy: 3.13.1-60.el7.noarch

How reproducible:

Actual results:
time->Wed Jan 20 23:03:35 2016
type=SYSCALL msg=audit(1453349015.383:63): arch=80000015 syscall=5 success=no exit=-13 a0=3fffc861c2b0 a1=0 a2=1b6 a3=0 items=0 ppid=1365 pid=12785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1453349015.383:63): avc:  denied  { open } for  pid=12785 comm="rhsmcertd-worke" path="/usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg" dev="dm-0" ino=136148937 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file

Expected results:
 no avc errors

Additional info:
Comment 2 PaulB 2016-01-21 14:25:32 EST
Here is a reproducer targeting same ppc64 hosts:

Comment 3 Milos Malik 2016-01-22 03:15:42 EST
It seems that the /usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg file is mislabeled. Following command should correct it:

# restorecon -Rv /usr/lib/python2.7/site-packages

Why it got mislabeled? Was the file moved from /tmp or /vat/tmp into the /usr/lib/python2.7/site-packages directory?
Comment 4 Milos Malik 2016-01-22 03:20:02 EST
It seems that AVCs appear before following things happen:

Finished processing dependencies for paramiko==1.16.0
restorecon -R -v /usr/lib/python*/
restorecon reset /usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg context system_u:object_r:user_tmp_t:s0->system_u:object_r:lib_t:s0
restorecon reset /usr/lib/python2.7/site-packages/pycrypto-2.6.1-py2.7-linux-ppc64.egg context system_u:object_r:user_tmp_t:s0->system_u:object_r:lib_t:s0
INFO: Adding these info into /etc/hosts

because the restorecon command corrects labels on both files.

Note You need to log in before you can comment on or make changes to this bug.