Bug 254421 - SELinux is preventing semanage (semanage_t) "create" to sitecustomize.pyc (lib_t).
SELinux is preventing semanage (semanage_t) "create" to sitecustomize.pyc (li...
Product: Fedora
Classification: Fedora
Component: eric (Show other bugs)
i686 Linux
medium Severity low
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2007-08-25 16:35 EDT by Thomas Douglas
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: 3.9.2-3.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-27 17:51:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Thomas Douglas 2007-08-25 16:35:39 EDT
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
    SELinux is preventing semanage (semanage_t) "create" to sitecustomize.copy

Detailed Description
    SELinux denied access requested by semanage. It is not expected that this
    access is required by semanage and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for sitecustomize.pyc, restorecon -v
    sitecustomize.pyc If this does not work, there is currently no automatic way
    to allow this access. Instead,  you can generate a local policy module to
    allow this access - see http://fedora.redhat.com/docs/selinux-faq-
    fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling
    SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:semanage_t
Target Context                system_u:object_r:lib_t
Target Objects                sitecustomize.pyc [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-38.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.20-2931.fc7xen #1
                              SMP Mon Aug 13 10:12:37 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Sat 25 Aug 2007 02:50:40 PM EDT
Last Seen                     Sat 25 Aug 2007 02:50:40 PM EDT
Local ID                      33a500a4-1e5e-4881-a574-5ec598117841
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="semanage" dev=dm-0 egid=0 euid=0
exe="/usr/bin/python" exit=6 fsgid=0 fsuid=0 gid=0 items=0
name="sitecustomize.pyc" pid=11337 scontext=system_u:system_r:semanage_t:s0
sgid=0 subj=system_u:system_r:semanage_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-08-27 08:57:22 EDT
This is unusual.  If you run 

python sitecustomize.copy

This problem will go away.  This is caused because no one has run you customized
py script yet to create the pyc.  semanage is not allowed to create these files,
but once the file gets created it will work fine.
Comment 2 Rex Dieter 2007-08-27 09:26:34 EDT
looks related to #243163, I'll reopen a try to address the missing .pyc files.
Comment 3 Rex Dieter 2007-08-27 09:31:41 EDT
* Mon Aug 27 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 3.9.2-3
- don't set PYTHONOPTIMIZE, let brp-python-bytecompile do it's job,
  addresses selinux issues (#243163, #254421)
Comment 4 Fedora Update System 2007-08-27 17:50:33 EDT
eric-3.9.2-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.