Description of problem: Not sure what causes this report, I got it today and yesterday. Maybe while moving some mails in Thunderbird. SELinux is preventing python from 'create' accesses on the file 1. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es python standardmässig erlaubt sein sollte, create Zugriff auf 1 file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'python' --raw | audit2allow -M my-python # semodule -X 300 -i my-python.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:unconfined_t:s0 Target Objects 1 [ file ] Source python Source Path python Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.21.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.2-101.fc23.x86_64 #1 SMP Fri Aug 26 15:59:00 UTC 2016 x86_64 x86_64 Alert Count 6 First Seen 2016-09-06 19:00:02 CEST Last Seen 2016-09-07 20:00:04 CEST Local ID b5a3e76a-900a-4664-96f1-39b51aabf670 Raw Audit Messages type=AVC msg=audit(1473271204.501:380): avc: denied { create } for pid=9931 comm="python" name="1" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=0 Hash: python,unconfined_t,unconfined_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-158.21.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.7.2-101.fc23.x86_64 type: libreport
This is the same issue we are seeing with chrome. 1345836
I got another report today just after login and I still don't know what causes it, there are several applications in autostart.
It is not a problem. It is just a way the kernel is treating attempts to create a file that already exists. It used to only check the create if the file did not exist. Now it checks create even if the file exists. The AVC indicates that a python program tried to create a file named 1 in /proc. No one is allowed to create files in /proc, so this file must already exists. The AVC gets generated but the open call which used the CREATE flag still returns successfully. We are moving to have all domains dontaudit this access.
You say /proc is read-only, I assume the file is expected to be created by the kernel. Could it be a bug in/with kernel 4.7.2? But I did not see this report in Fedora 24 (Plasma5) with also kernel 4.7.2 on another box, only with Fedora 23 (Cinnamon).
selinux-policy-3.13.1-158.24.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
How to approach this problem since file affected is called "1"???
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.