Description of problem: Running targeted/enforcing, when starting setroubleshootd (via 'service setroubleshoot start') after editing comma into /usr/lib/python2.5/site-packages/rhpl/__init__.py, I get numerous AVCs (see attached log file). 'audit2allow -i log' produces: allow setroubleshootd_t ld_so_t:file execute_no_trans; allow setroubleshootd_t ldconfig_exec_t:file { execute getattr }; allow setroubleshootd_t lib_t:dir write; allow setroubleshootd_t root_t:file unlink; allow setroubleshootd_t tmp_t:dir write; Version-Release number of selected component (if applicable): setroubleshoot-1.8.14-1.fc7 How reproducible: every time Steps to Reproduce: 1. 'service setroubleshoot start' (first add missing comma to __init__.py) 2. 3. Actual results: Expected results: Additional info:
Created attachment 145495 [details] AVCs from 'service setroubleshoot start'
Update to rhpl-0.201-2 fixes the lib_t:dir write AVC, but the others remain. The 'root_t' AVC link to files in '/'; I now appear to have 30-40 of them littering /. Here is a snippet from 'ls /': drwxr-xr-x 106 root root 12288 2007-01-13 09:59 etc drwxr-xr-x 2 root root 4096 2007-01-13 09:58 media drwxr-xr-x 2 root root 0 2007-01-13 09:58 net drwxr-xr-x 2 root root 0 2007-01-13 09:58 misc -rw------- 1 root root 4 2007-01-13 09:58 jql-Nf -rw------- 1 root root 4 2007-01-13 09:58 miIZiq drwxr-xr-x 4 root root 0 2007-01-13 09:57 selinux drwxr-xr-x 11 root root 0 2007-01-13 09:57 sys dr-xr-xr-x 178 root root 0 2007-01-13 09:57 proc -rw------- 1 root root 4 2007-01-13 09:26 PXg1az -rw------- 1 root root 4 2007-01-13 09:26 q5aIuX drwxr-xr-x 2 root root 12288 2007-01-13 09:18 sbin drwxr-xr-x 15 root root 4096 2007-01-13 09:18 lib drwxr-xr-x 2 root root 4096 2007-01-13 09:17 bin -rw------- 1 root root 4 2007-01-13 08:45 iAhIbM -rw------- 1 root root 4 2007-01-13 08:45 xuIxiw -rw------- 1 root root 4 2007-01-12 16:06 TWba1B -rw------- 1 root root 4 2007-01-12 16:05 31fgzJ although there are many more.... Here are the one(s) referred in above AVCs: -rw------- 1 root root 4 2007-01-12 15:05 e3CqDz -rw------- 1 root root 4 2007-01-12 15:05 -tYpe9 Looks like I'm getting 2 of these each time I boot. Contents appears to be the string "blat".
The "blat" files appear to be coming from _get_default_tempdir() in /usr/lib/python2.5/tempfile.py (guessing from a call to mkstemp()?). _get_default_tempdir() tries to create a file, write the string "blat", close and then unlink the file (apparently testing create/write/unlink) in that directory. These files are being created and written in "/" with label "root_t", and appears the following AVC blocks the unlink: type=AVC msg=audit(1168643147.575:103): avc: denied { unlink } for pid=13888 comm="setroubleshootd" name="e3CqDz" dev=dm-0 ino=100203 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=user_u:object_r:root_t:s0 tclass=file type=SYSCALL msg=audit(1168643147.575:103): arch=40000003 syscall=10 success=no exit=-13 a0=8891c38 a1=1 a2=4c7f20b4 a3=87981b0 items=0 ppid=1 pid=13888 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=user_u:system_r:setroubleshootd_t:s0 key=(null) /usr/sbin/setroubleshootd cd's to "/". That causing this?
Still having AVC problem with setroubleshoot-1.8.15-1.fc7. Get the same AVCs as above. Putting system in permissive mode and running 'service setroubleshoot start' produces: type=AVC msg=audit(1170341931.733:44): avc: denied { read } for pid=7412 comm="setroubleshootd" name=".rpmmacros" dev=dm-0 ino=131558 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1170341931.733:44): arch=40000003 syscall=5 success=yes exit=12 a0=8c86f20 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=7412 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=user_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1170341932.005:45): avc: denied { execute } for pid=7415 comm="sh" name="ldconfig" dev=dm-0 ino=11337797 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1170341932.005:45): avc: denied { execute_no_trans } for pid=7415 comm="sh" name="ldconfig" dev=dm-0 ino=11337797 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1170341932.005:45): avc: denied { read } for pid=7415 comm="sh" name="ldconfig" dev=dm-0 ino=11337797 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1170341932.005:45): arch=40000003 syscall=11 success=yes exit=0 a0=9a5d8b8 a1=9a5d938 a2=9a5cf18 a3=0 items=0 ppid=7414 pid=7415 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1170341932.005:45): path="/sbin/ldconfig" type=AVC_PATH msg=audit(1170341932.005:45): path="/sbin/ldconfig" .rpmmacros in above AVC is from my home directory .... (!?) Have I screwed up something locally?
Created attachment 147658 [details] Enforcing mode audit log After installing setroubleshoot-1.8.17-1.fc7, booted in both enforcing and permissive mode. Audit logs attached.
Created attachment 147659 [details] Permissive mode audit log
Created attachment 148053 [details] /var/log/audit/audit.log with setroubleshoot AVCs setroubleshoot-1.8.18-1.fc7 has similar AVCs.... attached.
Created attachment 148176 [details] Feb FC7T1 install and updates - final avc status.
The comments are inside the text attachment above. Baically, I am get the same messages after a puzzling round on a freah install. I think it was that makewhatis needed to run before I could use the tools and get a relabel. SELinux is now running and the AVC remaining have not triggered sealert. Darwin
Now that SELinux is running, the other AVC messages are showing up. Looks like anacron for logwatch is messed up and prelink. Messages from root e-mail: 2007-02-16 05:52:22 Cannot open main log file "/var/log/exim/main.log": Permission denied: euid=0 egid=93 2007-02-16 05:52:22 unable to set gid=93 or uid=93 (euid=0): privilege not needed 2007-02-16 05:52:22 Cannot open main log file "/var/log/exim/main.log": Permission denied: euid=0 egid=93 exim: could not open panic log - aborting: see message(s) above New AVC's from audit.log in attachment.
Created attachment 148200 [details] new avc messages from logwatch, anacron, prelink. New AVC's from audit.log in attachment. Darwin
setroubleshoot AVCs fixed in setroubleshoot-1.9.1-1.fc7! Thanks. Close?
Created attachment 148734 [details] avc messages remining The alert, setroubleshoot, policy, and tools need to all work together so no, it is not closed, just needs to be sent to some others. This attachment is after updates of Feb 23rd - current. setroubleshoot is not firing. logwatch is not working correctly. policycoreutils has a bad script. Darwin
Is 'setroubleshoot not firing' related to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229849 ?
RE comment #14, yes, bug 229849 would I expect cause the "not firing" problem because the excpetion is generated during the construction of an alert.
Believe this is 'fixed in Rawhide'