Bug 457051 - SELinux is preventing the get-updates.py (system_dbusd_t) from executing ./get-updates.py.
SELinux is preventing the get-updates.py (system_dbusd_t) from executing ./ge...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 457054 457088 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-29 09:42 EDT by Charlie Brady
Modified: 2008-09-22 14:15 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-01 10:56:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Charlie Brady 2008-07-29 09:42:53 EDT
SELinux is preventing the get-updates.py (system_dbusd_t) from executing
./get-updates.py.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the get-updates.py from executing ./get-updates.py. If
get-updates.py is supposed to be able to execute ./get-updates.py, this could be
a labeling problem. Most confined domains are allowed to execute files labeled
bin_t. So you could change the labeling on this file to bin_t and retry the
application. If this get-updates.py is not supposed to execute ./get-updates.py,
this could signal a intrusion attempt.

Allowing Access:

If you want to allow get-updates.py to execute ./get-updates.py: chcon -t bin_t
'./get-updates.py' If this fix works, please update the file context on disk,
with the following command: semanage fcontext -a -t bin_t './get-updates.py'
Please specify the full path to the executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy
to make sure this becomes the default labeling.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                ./get-updates.py [ file ]
Source                        get-updates.py
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           python-2.5.1-26.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-79.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   execute
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.25.11-97.fc9.x86_64 #1 SMP Mon Jul 21 01:09:10
                              EDT 2008 x86_64 x86_64
Alert Count                   116
First Seen                    Sat Apr 26 22:01:48 2008
Last Seen                     Tue Jul 29 09:14:41 2008
Local ID                      ed70cc7b-8c07-4d04-b899-62980429c186
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1217337281.527:191): avc:  denied
 { execute } for  pid=3347 comm="packagekitd" name="get-updates.py" dev=dm-0
ino=3637986 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file

host=localhost.localdomain type=AVC msg=audit(1217337281.527:191): avc:  denied
 { execute_no_trans } for  pid=3347 comm="packagekitd"
path="/usr/share/PackageKit/helpers/yum/get-updates.py" dev=dm-0 ino=3637986
scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1217337281.527:191):
arch=c000003e syscall=59 success=yes exit=0 a0=1c3d700 a1=1c457b0 a2=0 a3=0
items=0 ppid=2983 pid=3347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="get-updates.py"
exe="/usr/bin/python" subj=system_u:system_r:system_dbusd_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-07-29 12:01:35 EDT
ls -lZ /usr/sbin/packagekitd 
-rwxr-xr-x  root root system_u:object_r:rpm_exec_t:s0  /usr/sbin/packagekitd

Looks like this is labeled wrong.

restorecon -R -v /usr/sbin/packagekitd
Comment 2 Charlie Brady 2008-07-29 13:06:21 EDT
(In reply to comment #1)
> ls -lZ /usr/sbin/packagekitd 
> -rwxr-xr-x  root root system_u:object_r:rpm_exec_t:s0  /usr/sbin/packagekitd
> 
> Looks like this is labeled wrong.

Not on my system, apparently: 

[charlieb@localhost ~]$ ls -lZ /usr/sbin/packagekitd 
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/sbin/packagekitd
[charlieb@localhost ~]$

> 
> restorecon -R -v /usr/sbin/packagekitd
> 


[charlieb@localhost ~]$ sudo /sbin/restorecon -R -v /usr/sbin/packagekitd
[sudo] password for charlieb: 
[charlieb@localhost ~]$ ls -lZ /usr/sbin/packagekitd 
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/sbin/packagekitd
[charlieb@localhost ~]$ 

But how would it be labelled wrongly anyway (immediately after a system wide
relabel)?
Comment 3 Daniel Walsh 2008-07-29 13:29:46 EDT
grep packagekitd /etc/selinux/targeted/contexts/files/file_contexts
/usr/sbin/packagekitd	--	system_u:object_r:rpm_exec_t:s0

Something seems strange

# matchpathcon /usr/sbin/packagekitd
/usr/sbin/packagekitd	system_u:object_r:rpm_exec_t:s0
Comment 4 Charlie Brady 2008-07-29 13:44:23 EDT
(In reply to comment #3)
> grep packagekitd /etc/selinux/targeted/contexts/files/file_contexts
> /usr/sbin/packagekitd	--	system_u:object_r:rpm_exec_t:s0
> 
> Something seems strange
> 
> # matchpathcon /usr/sbin/packagekitd
> /usr/sbin/packagekitd	system_u:object_r:rpm_exec_t:s0
> 

[charlieb@localhost ~]$ grep packagekitd
/etc/selinux/targeted/contexts/files/file_contexts
[charlieb@localhost ~]$ 
[charlieb@localhost ~]$ sudo /usr/sbin/matchpathcon /usr/sbin/packagekitd
/usr/sbin/packagekitd	system_u:object_r:bin_t:s0
[charlieb@localhost ~]$ 
Comment 5 Charlie Brady 2008-07-29 13:45:28 EDT
[charlieb@localhost ~]$ rpm -qf /etc/selinux/targeted/contexts/files/file_contexts
selinux-policy-targeted-3.3.1-79.fc9.noarch
[charlieb@localhost ~]$ sudo rpm -V selinux-policy-targeted-3.3.1-79.fc9.noarch
[charlieb@localhost ~]$ 
Comment 6 Daniel Walsh 2008-07-29 14:44:14 EDT
# semodule -B
# ls /etc/selinux/targeted/policy
Comment 7 Daniel Walsh 2008-07-29 14:45:39 EDT
*** Bug 457054 has been marked as a duplicate of this bug. ***
Comment 8 Daniel Walsh 2008-07-29 14:46:43 EDT
*** Bug 457088 has been marked as a duplicate of this bug. ***
Comment 9 Charlie Brady 2008-07-29 16:28:16 EDT
(In reply to comment #6)
> # semodule -B
> # ls /etc/selinux/targeted/policy

I'm guessing that those are instructions for me: 

[charlieb@localhost ~]$ ls -lR /etc/selinux/targeted/policy
/etc/selinux/targeted/policy:
total 3812
-rw-r--r-- 1 root root 3892998 2007-11-02 12:23 policy.21
[charlieb@localhost ~]$ rpm -qf !$
rpm -qf /etc/selinux/targeted/policy
selinux-policy-targeted-3.3.1-79.fc9.noarch
[charlieb@localhost ~]$ sudo rpm -V selinux-policy-targeted-3.3.1-79.fc9.noarch
[sudo] password for charlieb: 
[charlieb@localhost ~]$ 


[charlieb@localhost ~]$ sudo /usr/sbin/semodule -B
libsemanage.semanage_link_sandbox: Could not access sandbox base file
/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
/usr/sbin/semodule:  Failed!
[charlieb@localhost ~]$ 

[charlieb@localhost ~]$ sudo find /etc/selinux/targeted/
/etc/selinux/targeted/
/etc/selinux/targeted/policy
/etc/selinux/targeted/policy/policy.21
/etc/selinux/targeted/seusers
/etc/selinux/targeted/contexts
/etc/selinux/targeted/contexts/customizable_types
/etc/selinux/targeted/contexts/x_contexts
/etc/selinux/targeted/contexts/dbus_contexts
/etc/selinux/targeted/contexts/initrc_context
/etc/selinux/targeted/contexts/userhelper_context
/etc/selinux/targeted/contexts/securetty_types
/etc/selinux/targeted/contexts/failsafe_context
/etc/selinux/targeted/contexts/removable_context
/etc/selinux/targeted/contexts/files
/etc/selinux/targeted/contexts/files/media
/etc/selinux/targeted/contexts/files/file_contexts.homedirs
/etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux/targeted/contexts/default_contexts
/etc/selinux/targeted/contexts/users
/etc/selinux/targeted/contexts/users/guest_u
/etc/selinux/targeted/contexts/users/user_u
/etc/selinux/targeted/contexts/users/xguest_u
/etc/selinux/targeted/contexts/users/staff_u
/etc/selinux/targeted/contexts/users/root
/etc/selinux/targeted/contexts/users/unconfined_u
/etc/selinux/targeted/contexts/netfilter_contexts
/etc/selinux/targeted/contexts/default_type
/etc/selinux/targeted/setrans.conf
/etc/selinux/targeted/modules
/etc/selinux/targeted/modules/semanage.trans.LOCK
/etc/selinux/targeted/modules/semanage.read.LOCK
/etc/selinux/targeted/modules/active
/etc/selinux/targeted/modules/active/seusers
/etc/selinux/targeted/modules/active/modules
[charlieb@localhost ~]$ 

Comment 10 Charlie Brady 2008-07-29 16:30:17 EDT
[charlieb@localhost ~]$ rpm -qflv /etc/selinux/targeted/ | grep targeted.mod
drwxr-xr-x    2 root    root                0 Jul 18 15:24
/etc/selinux/targeted/modules
drwx------    2 root    root                0 Jul 18 15:24
/etc/selinux/targeted/modules/active
-rw-r--r--    1 root    root                0 Jul 18 15:24
/etc/selinux/targeted/modules/semanage.read.LOCK
-rw-r--r--    1 root    root                0 Jul 18 15:24
/etc/selinux/targeted/modules/semanage.trans.LOCK
[charlieb@localhost ~]$ 


[charlieb@localhost ~]$ sudo mkdir /etc/selinux/targeted/modules/tmp
[charlieb@localhost ~]$ sudo /usr/sbin/semodule -B
libsemanage.semanage_link_sandbox: Could not access sandbox base file
/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
/usr/sbin/semodule:  Failed!
[charlieb@localhost ~]$ 

So it's not just the missing /tmp directory that is the problem.

Comment 11 Charlie Brady 2008-07-29 16:31:31 EDT
open("/proc/self/task/4277/attr/current", O_RDONLY) = 3
read(3, "unconfined_u:unconfined_r:semana"..., 4095) = 40
close(3)                                = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/active", R_OK|X_OK) = 0
access("/etc/selinux/targeted/modules/semanage.read.LOCK", R_OK) = 0
access("/etc/selinux/targeted/modules/active/modules", R_OK|W_OK|X_OK) = 0
open("/etc/selinux/targeted/modules/semanage.trans.LOCK", O_RDONLY) = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
flock(3, LOCK_EX|LOCK_NB)               = 0
stat("/etc/selinux/targeted/modules/tmp", 0x7fff8c973e90) = -1 ENOENT (No such
file or directory)
mkdir("/etc/selinux/targeted/modules/tmp", 0700) = 0
open("/etc/selinux/targeted/modules/active",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fcntl(4, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
getdents(4, /* 4 entries */, 4096)      = 112
getdents(4, /* 0 entries */, 4096)      = 0
close(4)                                = 0
stat("/etc/selinux/targeted/modules/active/seusers", {st_mode=S_IFREG|0644,
st_size=127, ...}) = 0
open("/etc/selinux/targeted/modules/active/seusers", O_RDONLY) = 4
open("/etc/selinux/targeted/modules/tmp/seusers.tmp", O_WRONLY|O_CREAT|O_TRUNC,
0100644) = 5
read(4, "# This file is auto-generated by"..., 4192) = 127
write(5, "# This file is auto-generated by"..., 127) = 127
read(4, "", 4192)                       = 0
close(4)                                = 0
close(5)                                = 0
rename("/etc/selinux/targeted/modules/tmp/seusers.tmp",
"/etc/selinux/targeted/modules/tmp/seusers") = 0
stat("/etc/selinux/targeted/modules/active/modules", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
mkdir("/etc/selinux/targeted/modules/tmp/modules", 0700) = 0
open("/etc/selinux/targeted/modules/active/modules",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(4, /* 2 entries */, 4096)      = 48
getdents(4, /* 0 entries */, 4096)      = 0
close(4)                                = 0
open("/etc/selinux/targeted/modules/tmp/modules",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(4, /* 2 entries */, 4096)      = 48
getdents(4, /* 0 entries */, 4096)      = 0
close(4)                                = 0
access("/etc/selinux/targeted/modules/tmp/base.pp", R_OK) = -1 ENOENT (No such
file or directory)
write(2, "libsemanage.semanage_link_sandbo"...,
35libsemanage.semanage_link_sandbox: ) = 35
write(2, "Could not access sandbox base fi"..., 77Could not access sandbox base
file /etc/selinux/targeted/modules/tmp/base.pp.) = 77
write(2, " (No such file or directory).", 29 (No such file or directory).) = 29
write(2, "\n", 1
)                       = 1
flock(3, LOCK_UN)                       = 0
close(3)                                = 0
open("/etc/selinux/targeted/modules/tmp",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(3, /* 4 entries */, 4096)      = 112
getdents(3, /* 0 entries */, 4096)      = 0
close(3)                                = 0
stat("/etc/selinux/targeted/modules/tmp/seusers", {st_mode=S_IFREG|0644,
st_size=127, ...}) = 0
unlink("/etc/selinux/targeted/modules/tmp/seusers") = 0
stat("/etc/selinux/targeted/modules/tmp/modules", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
open("/etc/selinux/targeted/modules/tmp/modules",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents(3, /* 2 entries */, 4096)      = 48
getdents(3, /* 0 entries */, 4096)      = 0
close(3)                                = 0
rmdir("/etc/selinux/targeted/modules/tmp/modules") = 0
rmdir("/etc/selinux/targeted/modules/tmp") = 0
write(2, "/usr/sbin/semodule:  Failed!\n", 29/usr/sbin/semodule:  Failed!
) = 29
exit_group(1)                           = ?
[charlieb@localhost ~]$ 

Comment 12 Daniel Walsh 2008-07-29 16:59:32 EDT
You seem to have a very screwed up machine.

# yum upgrade libse\* policycore\* checkpolicy\*
# setenforce 0
# rm -rf /etc/selinux
# rpm Uhv --force selinux-policy*3.3.1-79.fc9.noarch.rpm
# fixfiles restore

Comment 13 Charlie Brady 2008-07-29 17:18:04 EDT
(In reply to comment #12)
> You seem to have a very screwed up machine.
> 
> # yum upgrade libse\* policycore\* checkpolicy\*
> # setenforce 0
> # rm -rf /etc/selinux
> # rpm Uhv --force selinux-policy*3.3.1-79.fc9.noarch.rpm

OK, I'm doing this, and have got this far. 

This looks better:

[charlieb@localhost ~]$ sudo /usr/sbin/semanage user -l 
[sudo] password for charlieb: 

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            user       s0         s0-s0:c0.c1023                 staff_r
sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r
sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
user_u          user       s0         s0                             user_r
[charlieb@localhost ~]$ 
[charlieb@localhost ~]$ sudo /usr/sbin/semanage login -l 

Login Name                SELinux User              MLS/MCS Range            

__default__               user_u                    s0                       
root                      root                      s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
[charlieb@localhost ~]$ 


> # fixfiles restore

And this is churning away.

What can I do to try to find when/how things went wrong?
Comment 14 Daniel Walsh 2008-08-01 10:56:02 EDT
I don't know.  Did you update from a previous version of Fedora.  Sometimes
updates break things.

It is usually safer to do a fresh install
Comment 15 Charlie Brady 2008-09-19 16:55:19 EDT
> # fixfiles restore
> And this is churning away.

It seems to have done the job.

> Did you update from a previous version of Fedora.

Only from the pre-release FC9.
Comment 16 Daniel Walsh 2008-09-22 14:15:14 EDT
You need to execute these commands to complete the cleanup.  These will cause users to log in as unconfined_t which is probably what you want.

# semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
# semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 __default__
# semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 root

Log out and log back in id -Z should show unconfined_t

Note You need to log in before you can comment on or make changes to this bug.