Bug 533427 - SELinux is preventing /usr/bin/python "create" access on fedora-debuginfo.
Summary: SELinux is preventing /usr/bin/python "create" access on fedora-debuginfo.
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:9c9aad111bd...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-06 18:33 UTC by Rod C. Johnson
Modified: 2013-04-21 15:09 UTC (History)
460 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-19 22:08:38 UTC
Type: ---


Attachments (Terms of Use)
creo que seja o arquivo certo, estou tendo complicação para para fazer update do sistema, sempre aparesse erro, pesso que me ajudem (60 bytes, patch)
2010-02-16 13:51 UTC, Artemio
no flags Details | Diff

Description Rod C. Johnson 2009-11-06 18:33:18 UTC
Summary:

SELinux is preventing /usr/bin/python "create" access on fedora-debuginfo.

Detailed Description:

[yum has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by yum. It is not expected that this access is
required by yum and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:abrt_t:s0
Target Context                unconfined_u:object_r:rpm_var_cache_t:s0
Target Objects                fedora-debuginfo [ dir ]
Source                        yum
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.2-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-96.fc12.i686.PAE #1 SMP Fri
                              Oct 23 19:39:36 EDT 2009 i686 athlon
Alert Count                   1
First Seen                    Fri 06 Nov 2009 07:52:55 PM EET
Last Seen                     Fri 06 Nov 2009 07:52:55 PM EET
Local ID                      70126e06-2b17-4834-836c-ea70a869246d
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1257529975.949:596): avc:  denied  { create } for  pid=17114 comm="yum" name="fedora-debuginfo" scontext=unconfined_u:system_r:abrt_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1257529975.949:596): arch=40000003 syscall=39 success=yes exit=0 a0=9779660 a1=1ed a2=38f6868 a3=9259050 items=0 ppid=17113 pid=17114 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="yum" exe="/usr/bin/python" subj=unconfined_u:system_r:abrt_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,yum,abrt_t,rpm_var_cache_t,dir,create
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t rpm_var_cache_t:dir create;

Comment 1 Daniel Walsh 2009-11-06 19:38:40 UTC
Fixed in selinux-policy-3.6.32-42.fc12.noarch

Comment 2 Lawrence Graves 2009-11-12 04:45:56 UTC
This happen every time I log in.

Comment 3 Daniel Walsh 2009-11-12 13:54:23 UTC
Well something is blowing up everytime you log in.

Have you tried the newer policy?

Comment 4 Gene Czarcinski 2009-11-17 20:18:18 UTC
This problem is still not fixed as of 17 November 2009.  The latest update in fedora, updates, or updates-testing is selinux-policy-3.6.32-41.fc12

Comment 5 Daniel Walsh 2009-11-17 22:26:52 UTC
-46 has been put in fedora-updates and has been pushed.  It should get to a mirror near you soon.

Comment 6 zhelo 2009-11-19 01:06:23 UTC
I was chating on "amsn" and wow.... bug!!

Comment 7 Gene Czarcinski 2009-11-19 22:08:38 UTC
Since I re-open this, I am now closing.  With "3.6.32-46.fc12" applied, this problem no longer occurs.

Comment 8 Tomas Östlund 2009-11-22 22:14:06 UTC
This happened for me on a newly installed Fedora 12 system with all updates applied (as of 2009-11-22). The happened when the automatic bug reporting tool detected a crash in compiz and promted me to send a bug report.

The full message given by "SELinux Security Alerts" was:

---------------

Summary:

SELinux is preventing /usr/bin/python "create" access on fedora-debuginfo.

Detailed Description:

[yum has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by yum. It is not expected that this access is
required by yum and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0
Target Context                system_u:object_r:rpm_var_cache_t:s0
Target Objects                fedora-debuginfo [ dir ]
Source                        yum
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.2-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux tomas-laptop 2.6.31.5-127.fc12.i686 #1 SMP
                              Sat Nov 7 21:41:45 EST 2009 i686 i686
Alert Count                   1
First Seen                    Sun 22 Nov 2009 10:56:47 PM CET
Last Seen                     Sun 22 Nov 2009 10:56:47 PM CET
Local ID                      f0844f39-a963-4701-98d9-99d64b6f8577
Line Numbers                  

Raw Audit Messages            

node=tomas-laptop type=AVC msg=audit(1258927007.131:23658): avc:  denied  { create } for  pid=2804 comm="yum" name="fedora-debuginfo" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir

node=tomas-laptop type=SYSCALL msg=audit(1258927007.131:23658): arch=40000003 syscall=39 success=yes exit=0 a0=9e26a88 a1=1ed a2=4c3868 a3=982a050 items=0 ppid=2803 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:abrt_t:s0 key=(null)

Comment 9 Richard Shaw 2009-11-22 22:17:15 UTC
Installing the selinux-policy from updates-testing fixed it for me.

Comment 10 Tomas Östlund 2009-11-28 18:10:48 UTC
Ok, this issue now seems to be fixed after the updates released 24 November. Thanks.

Comment 11 Ulrich Hobelmann 2009-12-03 06:39:07 UTC
I'm having this problem with an up-to-date Fedora 12 (installed from the beta live-cd a few weeks ago and updated daily).  Since I'm assuming yum runs at regular intervals (plus my daily "yum update"s), this bug must still be there.

I'd like to REOPEN, but I'm not sure where to do that (or if it's possible... lack of privileges?), as this bugzilla looks quite different from what I'm used to.

Comment 12 Daniel Walsh 2009-12-03 14:00:55 UTC
Could you attach the latest setroubleshoot message?

rpm -q selinux-policy-targeted

Comment 13 Ulrich Hobelmann 2009-12-03 17:29:50 UTC
Oh.

Seems like the SELinux applet did not show me the latest message (that which caused it to pop up in the first place), but an older message from 11/19.  The messages I got were just wrong contexts for /var/lib/misc/prelink.*.  So I guess this is fixed...

Comment 14 Daniel Walsh 2009-12-03 18:56:59 UTC
It shows you the oldest unseen, not the latest to come up.

Comment 15 Rene Jr Purcell 2009-12-07 00:53:12 UTC
It happend to me after installing the flash rpm provided by adobe which contains adobe YUM Repo. So it looks like yum is trying to create the .repo file and SeLinux don't like that.

Comment 16 Jordan_ad 2009-12-08 16:42:36 UTC
That is exactly when it started happening to me... and still does

Comment 17 Jordan_ad 2009-12-08 16:45:08 UTC
selinux-policy-targeted-3.6.32-46.fc12.noarch

Comment 18 Daniel Walsh 2009-12-09 13:56:14 UTC
Jordan update to selinux-policy-targeted-3.6.32-55.fc12.noarch

Comment 19 Martin B. Brilliant 2009-12-25 13:21:12 UTC
Sorry to intrude, but I'm a newbie here, new to Linux, just installed more updates, which required a restart, and it's happening to me. Bug reporting tool says it's been reported before, this thread says CLOSED WORKSFORME, but ITDOESNTWORKFORME. After these updates I now have three different versions of Fedora in the boot menu - does that have anything to do with this bug? I don't understand why this bug has been fixed and fixed and fixed again and it still keeps occurring. I'm totally confused and frustrated.

Comment 20 Christoph Wickert 2009-12-25 14:42:47 UTC
(In reply to comment #19)
> Sorry to intrude, but I'm a newbie here, new to Linux, just installed more
> updates, which required a restart, and it's happening to me. Bug reporting tool
> says it's been reported before, this thread says CLOSED WORKSFORME, but
> ITDOESNTWORKFORME.

Several people reported this bug to be fixed a wile back. Are you sure your system is fully updated and you did a reboot after the last update?
When sealert reports a violation and you open the tool, it shows the first alarm instead of the last one. So what you see is likely an old alarm but not the one that triggered the warning. Use the <next> <previous> buttons to browse through the reports. If you still see this problem, take a look at the time it appeared and the version of selinux-polity-affected. I am very optimistic that is hasn't happened lately with the latest selinux-policy.

> After these updates I now have three different versions of
> Fedora in the boot menu - does that have anything to do with this bug?

No, this is normal.

Comment 21 Daniel Walsh 2009-12-30 01:33:04 UTC
yum update selinux-policy-targeted

Or even better

yum update selinux-policy-targeted --enablerepo=updates-testing

Current policy is selinux-policy-3.6.32-59.fc12.noarch
Latest testing policy is 
selinux-policy-3.6.32-63.fc12.noarch

Comment 22 wherebrandon_fedora_bugzilla 2010-01-30 17:13:58 UTC
i installed fedora 12 on a lenovo W500.  When i ran the updates this morning i got this error, and signed up for a redhad bugzilla id, and reported the error(it is the first of 8 selinux errors)

I have not used alternate/3rd party repos.  i haven't even put in m3 decoding or dvd watching.

this issue does still exist on 100% redhat/fedora distributed packages, so it DOES NOT WORK FOR ME.  

i will be happy to provide any information from my system to help solve the problem.

this is preventing yum from working.

i really don't want to disable selinux.  it is there for a good reason.

Comment 23 wherebrandon_fedora_bugzilla 2010-01-30 17:15:33 UTC
i installed fedora 12 on a lenovo W500.  When i ran the updates this morning i got this error, and signed up for a redhad bugzilla id, and reported the error(it is the first of 8 selinux errors)

I have not used alternate/3rd party repos.  i haven't even put in m3 decoding or dvd watching.

this issue does still exist on 100% redhat/fedora distributed packages, so it DOES NOT WORK FOR ME.  

i will be happy to provide any information from my system to help solve the problem.

this is preventing yum from working.

i really don't want to disable selinux.  it is there for a good reason.

Comment 24 Daniel Walsh 2010-02-01 17:07:33 UTC
What error exactly did you get when you ran yum update?

Comment 25 alan merriman 2010-02-01 19:35:57 UTC
I am new to Fedora just run yum update as per details on previous comment and seems to have fixed bug thanks for your help.

Comment 26 TFH 2010-02-07 14:12:46 UTC
TFH
The bug report that I filed occurs when I do a cold boot of the OS-Fedora 12. The only thing I have noticed different in this new OS install is that the network connection is disabled by default, which was not the case with Fedora 11.

Comment 27 Ajeet Kumar 2010-02-09 02:34:54 UTC
whenever i boot into my fedora KDE desktop i always get the SELinux message that this bug has occured..apart from booting into the desktop i didn't do anything.

Comment 28 Ajeet Kumar 2010-02-09 02:38:11 UTC
right now i'm updating my selinux policy and will reboot afterwards..

Comment 29 Ajeet Kumar 2010-02-09 03:00:51 UTC
yes, not occurred this time when i rebooted after the update..thankyou.

Comment 30 Artemio 2010-02-16 13:51:53 UTC
Created attachment 394546 [details]
creo que seja o arquivo certo, estou tendo complicação para para fazer update do sistema, sempre aparesse erro, pesso que me ajudem

Comment 31 James S 2010-02-27 21:52:04 UTC
I installed fedora 12 on my laptop and I opened software update and this bug is not allowing me to receive any updates. Any fixes?

Comment 32 Volans 2010-02-27 22:01:30 UTC
Well, if you just want to update your computer, try becoming root and write " yum update " in your console. It works for me many times.


Note You need to log in before you can comment on or make changes to this bug.