Bug 1300813 - [RHEL-7.3] avc: denied { open } for pid=12786 comm="rhsmcertd-worke"
Summary: [RHEL-7.3] avc: denied { open } for pid=12786 comm="rhsmcertd-worke"
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: ppc64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-21 19:23 UTC by PaulB
Modified: 2016-02-12 08:15 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-12 08:15:30 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description PaulB 2016-01-21 19:23:21 UTC 
Description of problem:
 The following avc error was seen while testing with RHEL-7.2 Server ppc64: 
 avc:  denied  { open } for  pid=12786 comm="rhsmcertd-worke" path="/usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg"

Version-Release number of selected component (if applicable):
 distro: RHEL-7.2 Server ppc64
 kernel: 3.10.0-342.el7
 selinux-policy: 3.13.1-60.el7.noarch

How reproducible:
 unknown

Actual results:
https://beaker.engineering.redhat.com/recipes/2426801
https://beaker.engineering.redhat.com/recipes/2426801#task37374186
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2016/01/11957/1195735/2426801/37374186/183774185/test_log-env_setup-avc.log
---<-snip->---
time->Wed Jan 20 23:03:35 2016
type=SYSCALL msg=audit(1453349015.383:63): arch=80000015 syscall=5 success=no exit=-13 a0=3fffc861c2b0 a1=0 a2=1b6 a3=0 items=0 ppid=1365 pid=12785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1453349015.383:63): avc:  denied  { open } for  pid=12785 comm="rhsmcertd-worke" path="/usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg" dev="dm-0" ino=136148937 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
---<-snip->---

Expected results:
 no avc errors


Additional info:
Comment 2 PaulB 2016-01-21 19:25:32 UTC 
All,
Here is a reproducer targeting same ppc64 hosts:
 https://beaker.engineering.redhat.com/jobs/1195735

Best,
-pbunyan
Comment 3 Milos Malik 2016-01-22 08:15:42 UTC 
It seems that the /usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg file is mislabeled. Following command should correct it:

# restorecon -Rv /usr/lib/python2.7/site-packages

Why it got mislabeled? Was the file moved from /tmp or /vat/tmp into the /usr/lib/python2.7/site-packages directory?
Comment 4 Milos Malik 2016-01-22 08:20:02 UTC 
It seems that AVCs appear before following things happen:

Finished processing dependencies for paramiko==1.16.0
restorecon -R -v /usr/lib/python*/
restorecon reset /usr/lib/python2.7/site-packages/ecdsa-0.13-py2.7.egg context system_u:object_r:user_tmp_t:s0->system_u:object_r:lib_t:s0
restorecon reset /usr/lib/python2.7/site-packages/pycrypto-2.6.1-py2.7-linux-ppc64.egg context system_u:object_r:user_tmp_t:s0->system_u:object_r:lib_t:s0
INFO: Adding these info into /etc/hosts

because the restorecon command corrects labels on both files.
Comment 5 PaulB 2016-01-22 20:07:29 UTC 
All,
Here is another instance seen during automated testing:
https://beaker.engineering.redhat.com/jobs/1198503
https://beaker.engineering.redhat.com/recipes/2432890
https://beaker.engineering.redhat.com/recipes/2432890#task37441266

Best,
-pbunyan
Note You need to log in before you can comment on or make changes to this bug.