Bug 2181958 - SELinux is preventing sbis-daemon from 'create' accesses on the directory __pycache__.
Summary: SELinux is preventing sbis-daemon from 'create' accesses on the directory __p...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 39
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7c40f5d330824efb21b11382024...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-27 05:44 UTC by Mikhail
Modified: 2023-08-16 07:12 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)
File: description (1.98 KB, text/plain)
2023-03-27 05:44 UTC, Mikhail 		no flags Details
File: os_info (770 bytes, text/plain)
2023-03-27 05:44 UTC, Mikhail 		no flags Details
View All

Description Mikhail 2023-03-27 05:44:21 UTC 
Description of problem:
SELinux is preventing sbis-daemon from 'create' accesses on the directory __pycache__.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sbis-daemon should be allowed create access on the __pycache__ directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sbis-daemon' --raw | audit2allow -M my-sbisdaemon
# semodule -X 300 -i my-sbisdaemon.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c801,c995
Target Context                system_u:object_r:user_home_t:s0
Target Objects                __pycache__ [ dir ]
Source                        sbis-daemon
Source Path                   sbis-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.8-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-38.8-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 6.3.0-
                              0.rc3.20230323gitfff5a5e7f528.32.fc39.x86_64+debug
                              #1 SMP PREEMPT_DYNAMIC Thu Mar 23 17:04:23 UTC
                              2023 x86_64
Alert Count                   2
First Seen                    2023-03-24 20:25:20 +05
Last Seen                     2023-03-24 20:42:30 +05
Local ID                      06681341-c01e-4be3-a6db-021146312d8f

Raw Audit Messages
type=AVC msg=audit(1679672550.840:2162): avc:  denied  { create } for  pid=109086 comm="FutureInvoke" name="__pycache__" scontext=system_u:system_r:container_t:s0:c801,c995 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1


Hash: sbis-daemon,container_t,user_home_t,dir,create

Version-Release number of selected component:
selinux-policy-targeted-38.8-1.fc39.noarch

Additional info:
reporter:       libreport-2.17.9
reason:         SELinux is preventing sbis-daemon from 'create' accesses on the directory __pycache__.
package:        selinux-policy-targeted-38.8-1.fc39.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.3.0-0.rc3.20230324git1e760fa3596e.34.fc39.x86_64+debug
component:      selinux-policy
Comment 1 Mikhail 2023-03-27 05:44:23 UTC 
Created attachment 1953869 [details]
File: description
Comment 2 Mikhail 2023-03-27 05:44:25 UTC 
Created attachment 1953870 [details]
File: os_info
Comment 3 Daniel Walsh 2023-03-27 16:25:27 UTC 
Did you volume mount in a directory in your homedir without using :Z or :z?
Comment 4 Mikhail 2023-03-29 23:53:08 UTC 
(In reply to Daniel Walsh from comment #3)
> Did you volume mount in a directory in your homedir without using :Z or :z?

With :Z podman didn't work on MacOS. My launcher script unified for both OS.

% podman run -v "/Users/mikhail/packaging-work/git/stend/local-config.ini":"/root/services/www/config.ini":Z -v "/Users/mikhail/packaging-work/git/stend/local-config-ps.ini":"/root/services/www-ps/config.ini":Z --platform=linux/amd64 --rm --name="stend" --hostname="10-206-131-237.vpn.mycompany.com" --net=bridge -p=2001:2001 -p=2002:2002 --shm-size=1g  --memory="16g" --memory-swap="32g" dev-image-store.mycompany.com/local_stand/product:23.1100-latest

Error: preparing container 50d674cb7d8e419fce1b089d30bddd17778c27ac182ab680d10ce93dd4ff1a67 for attach: lsetxattr /Users/mikhail/packaging-work/git/stend/local-config.ini: operation not supported
Comment 5 Fedora Release Engineering 2023-08-16 07:12:31 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Note You need to log in before you can comment on or make changes to this bug.