Red Hat Bugzilla – Bug 433171
SELinux is preventing python (unconfined_t) "transition" to /bin/bash (rpm_script_t).
Last modified: 2008-02-26 16:44:21 EST
Description of problem: SELinux denied access requested by python. It is not expected that this access is required by python and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Version-Release number of selected component (if applicable): selinux-policy-strict-2.6.4-70.fc7 selinux-doc-1.26-1.1 selinux-policy-mls-2.6.4-70.fc7 selinux-policy-2.6.4-70.fc7 selinux-policy-devel-2.6.4-70.fc7 selinux-policy-targeted-2.6.4-70.fc7 How reproducible: attempt to run yum update Steps to Reproduce: 1. yum -y update 2. yum updates but SE Troubleshooter throws a warning 3. view message from SE Troubleshooter Actual results: Receive warnings from SE Troubleshooter when trying to update system Expected results: No nasty grams Additional info: Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:unconfined_t Target Context system_u:system_r:rpm_script_t Target Objects /bin/bash [ process ] Affected RPM Packages bash-3.2-20.fc7 [target] Policy RPM selinux-policy-2.6.4-70.fc7 Selinux Enabled True Policy Type seedit MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name timmieland.private Platform Linux timmieland.private 2.6.23.14-64.fc7 #1 SMP Sun Jan 20 23:54:08 EST 2008 i686 athlon Alert Count 37 First Seen Sat 16 Feb 2008 03:50:46 PM MST Last Seen Sat 16 Feb 2008 10:59:32 PM MST Local ID a06ba4c7-a5de-4e93-88fd-ab92f0e56498 Line Numbers Raw Audit Messages avc: denied { transition } for comm="python" dev=dm-0 path="/bin/bash" pid=4144 scontext=system_u:system_r:unconfined_t:s0 tclass=process tcontext=system_u:system_r:rpm_script_t:s0
This looks like yum is not labeled rpm_exec_t. Which is should be in this policy. ls -lZ PATHTOYUM restorecon PATHTOYUM should fix.
(In reply to comment #1) > This looks like yum is not labeled rpm_exec_t. Which is should be in this policy. > > ls -lZ PATHTOYUM > > restorecon PATHTOYUM > > should fix. hmm if I run locate rpm_exec_t it returns nothing. let me force a relabel (again) and see if anything changes for this and all the other bugs.
$ man locate NAME locate - find files by name ... You probably wanted to use: $ ls -RZ / | grep rpm_exec_t for example $ ls -Z /usr/bin/yum -rwxr-xr-x root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum if you see different results, your labels are probably in wrong condition try relabeling as Dan pointed # fixfiles relabel