Bug 444345 - AVC denieds caused by setroubleshootd
AVC denieds caused by setroubleshootd
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-27 10:40 EDT by Robert Scheck
Modified: 2008-04-28 15:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-28 15:22:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-04-27 10:40:15 EDT
Description of problem:
type=AVC msg=audit(1209305014.884:194219): avc:  denied  { write } for  pid=3753
comm="setroubleshootd" name="setroubleshoot" dev=cciss/c0d0p2 ino=443776
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=dir
type=AVC msg=audit(1209305014.884:194219): avc:  denied  { remove_name } for 
pid=3753 comm="setroubleshootd" name="server.pyc" dev=cciss/c0d0p2 ino=443639
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=dir
type=AVC msg=audit(1209305014.884:194219): avc:  denied  { unlink } for 
pid=3753 comm="setroubleshootd" name="server.pyc" dev=cciss/c0d0p2 ino=443639
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1209305014.884:194219): arch=40000003 syscall=10
success=yes exit=0 a0=bf926ec7 a1=11 a2=253574 a3=8fd8648 items=0 ppid=1
pid=3753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
subj=unconfined_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1209305014.884:194220): avc:  denied  { add_name } for 
pid=3753 comm="setroubleshootd" name="server.pyc"
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=dir
type=AVC msg=audit(1209305014.884:194220): avc:  denied  { create } for 
pid=3753 comm="setroubleshootd" name="server.pyc"
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
type=AVC msg=audit(1209305014.884:194220): avc:  denied  { write } for  pid=3753
comm="setroubleshootd" name="server.pyc" dev=cciss/c0d0p2 ino=443632
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1209305014.884:194220): arch=40000003 syscall=5
success=yes exit=6 a0=bf926ec7 a1=82c1 a2=1b6 a3=82c1 items=0 ppid=1 pid=3753
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="setroubleshootd" exe="/usr/bin/python"
subj=unconfined_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1209305015.028:194221): avc:  denied  { read } for  pid=3753
comm="setroubleshootd" name=".rpmmacros" dev=cciss/c0d0p2 ino=491645
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1209305015.028:194221): arch=40000003 syscall=5
success=yes exit=11 a0=903cfa8 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=3753
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="setroubleshootd" exe="/usr/bin/python"
subj=unconfined_u:system_r:setroubleshootd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-42

How reproducible:
Seems to be everytime when restarting/starting the setroubleshootd via the 
initscript.

AVC denieds by setroubleshootd

Expected results:
No AVC denieds any longer... ;-)
Comment 1 John Poelstra 2008-04-28 08:47:59 EDT
Can you recheck the version of targeted policy you have?  That is several
revisions later that what is currently released which is: 
selinux-policy-targeted-3.3.1-35.fc9.noarch.rpm   
Comment 2 Daniel Walsh 2008-04-28 09:22:35 EDT
This looks like setroubleshoot is trying to update the pyc files.  Have you been
editing the python files?

42 is soon to be the Rawhide policy so that is not the problem.
Comment 3 Robert Scheck 2008-04-28 09:47:26 EDT
Uh yes. It is very possible, that I changed server.py of setroubleshoot-server 
package manually. But that doesn't explain

type=AVC msg=audit(1209305015.028:194221): avc:  denied  { read } for  pid=3753
comm="setroubleshootd" name=".rpmmacros" dev=cciss/c0d0p2 ino=491645
scontext=unconfined_u:system_r:setroubleshootd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file

for me...
Comment 4 Daniel Walsh 2008-04-28 10:41:53 EDT
setroubleshoot actually loads the rpm python module which attempts to read the
.rpmmacros file in the current $HOME.  Ordinarily this is /root which is labeled
admin_home_t and this is dontaudited.  But you started the service and then
generated an AVC which caused this AVC to happen.  Are you running in permissive
mode?  I am wondering if this is blocked if run in enforcing mode.
Comment 5 Robert Scheck 2008-04-28 10:45:38 EDT
Yes, permissive mode. But otherwise this AVC should be noaudit?!
Comment 6 Daniel Walsh 2008-04-28 15:22:51 EDT
dontaudited in selinux-policy-3.3.1-43.fc9.noarch

Note You need to log in before you can comment on or make changes to this bug.