Bug 1586033 - SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/libexec/ipa/ipa-dnskeysync-replica
Summary: SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the ...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2018-06-05 10:59 UTC by Lukas Slebodnik
Modified: 2018-10-30 10:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-10-30 10:05:00 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:05:28 UTC

Description Lukas Slebodnik 2018-06-05 10:59:51 UTC
SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/libexec/ipa/ipa-dnskeysync-replica.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed execute_no_trans access on the ipa-dnskeysync-replica file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'ipa-dnskeysyncd' --raw | audit2allow -M my-ipadnskeysyncd
# semodule -i my-ipadnskeysyncd.pp

Additional Information:
Source Context                system_u:system_r:ipa_dnskey_t:s0
Target Context                system_u:object_r:ipa_dnskey_exec_t:s0
Target Objects                /usr/libexec/ipa/ipa-dnskeysync-replica [ file ]
Source                        ipa-dnskeysyncd
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          c106.testrelm.test
Source RPM Packages           python-2.7.5-72.el7.x86_64
Target RPM Packages           ipa-server-4.5.4-10.el7_5.1.x86_64
Policy RPM                    selinux-policy-3.13.1-201.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     c106.testrelm.test
Platform                      Linux c106.testrelm.test 3.10.0-894.el7.x86_64 #1
                              SMP Mon May 28 17:01:44 EDT 2018 x86_64 x86_64
Alert Count                   32
First Seen                    2018-06-05 06:19:52 EDT
Last Seen                     2018-06-05 06:51:13 EDT
Local ID                      d4d8b88c-9077-4421-bc2b-bf90f556d380

Raw Audit Messages
type=AVC msg=audit(1528195873.272:798): avc:  denied  { execute_no_trans } for  pid=32874 comm="ipa-dnskeysyncd" path="/usr/libexec/ipa/ipa-dnskeysync-replica" dev="dm-0" ino=34535361 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:ipa_dnskey_exec_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1528195873.272:798): arch=x86_64 syscall=execve success=no exit=EACCES a0=267fb40 a1=359c1c0 a2=39d2120 a3=7ffc7693c960 items=1 ppid=32864 pid=32874 auid=4294967295 uid=995 gid=25 euid=995 suid=995 fsuid=995 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm=ipa-dnskeysyncd exe=/usr/bin/python2.7 subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)

type=CWD msg=audit(1528195873.272:798): cwd=/

type=PATH msg=audit(1528195873.272:798): item=0 name=/usr/libexec/ipa/ipa-dnskeysync-replica inode=34535361 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipa_dnskey_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: ipa-dnskeysyncd,ipa_dnskey_t,ipa_dnskey_exec_t,file,execute_no_trans

Comment 5 errata-xmlrpc 2018-10-30 10:05:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.