Bug 547472 - SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid.
Summary: SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:65e90b13a6c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-14 18:41 UTC by Flóki Pálsson
Modified: 2009-12-22 20:42 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-12-22 20:42:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
selinux-policy-3.6.32-59.fc12 - sealert (2.30 KB, text/plain)
2009-12-20 23:10 UTC, Flóki Pálsson
no flags Details

Description Flóki Pálsson 2009-12-14 18:41:19 UTC
Summary:

SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid.

Detailed Description:

SELinux denied access requested by system-config-s. It is not expected that this
access is required by system-config-s and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:sambagui_t:s0-s0:c0.c1023
Target Context                system_u:object_r:abrt_var_run_t:s0
Target Objects                /var/run/abrt.pid [ file ]
Source                        system-config-s
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.2-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-56.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.6-166.fc12.x86_64 #1 SMP Wed
                              Dec 9 10:46:22 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 14 Dec 2009 06:34:39 PM GMT
Last Seen                     Mon 14 Dec 2009 06:34:39 PM GMT
Local ID                      d4520544-d0ed-42da-9830-8a46e98ea0a5
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1260815679.187:27566): avc:  denied  { read } for  pid=2203 comm="system-config-s" name="abrt.pid" dev=sda2 ino=4491 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_run_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1260815679.187:27566): arch=c000003e syscall=2 success=no exit=-13 a0=1c54950 a1=0 a2=1b6 a3=0 items=0 ppid=2202 pid=2203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-s" exe="/usr/bin/python" subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-56.fc12,catchall,system-config-s,sambagui_t,abrt_var_run_t,file,read
audit2allow suggests:

#============= sambagui_t ==============
allow sambagui_t abrt_var_run_t:file read;

Comment 1 Flóki Pálsson 2009-12-14 18:58:37 UTC
This was ok. 
There was only problen with adding samba user. 

floki@flokipa ~]$ /usr/bin/system-config-samba
ERROR:dbus.proxies:Introspect error on :1.81:/org/fedoraproject/Config/Samba/Backend: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

-------------
window for root password
and then 
---------------
Traceback (most recent call last):
  File "/usr/bin/system-config-samba", line 53, in <module>
    mainWindow.MainWindow (debug_flag = debug_flag, use_dbus = use_dbus)
  File "/usr/share/system-config-samba/mainWindow.py", line 97, in __init__
    self.samba_data = sambaConfig.SambaConfig (self.samba_backend)
  File "/usr/lib/python2.6/site-packages/scsamba/core/sambaConfig.py", line 29, in __init__
    self.parseFile ()
  File "/usr/lib/python2.6/site-packages/scsamba/core/sambaConfig.py", line 32, in parseFile
    return self.parse (self.backend.readSmbConf ())
  File "/usr/lib/python2.6/site-packages/scsamba/dbus/proxy/sambaBackend.py", line 48, in readSmbConf
    return self.dbus_interface.readSmbConf ()
  File "/usr/lib/python2.6/site-packages/dbus/proxies.py", line 68, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.6/site-packages/dbus/proxies.py", line 140, in __call__
    **keywords)
  File "/usr/lib/python2.6/site-packages/dbus/connection.py", line 630, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
[floki@flokipa ~]$

Comment 2 Dagan McGregor 2009-12-15 03:30:39 UTC
It appears I have a similar problem with system-config-samba not opening as a standard user, even after authenticating.

Comment 3 Daniel Walsh 2009-12-15 14:11:55 UTC
Fixed in selinux-policy-3.6.32-59.fc12.noarch

Comment 4 Fedora Update System 2009-12-16 13:55:55 UTC
selinux-policy-3.6.32-59.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-59.fc12

Comment 5 Fedora Update System 2009-12-18 04:44:03 UTC
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13384

Comment 6 Flóki Pálsson 2009-12-20 21:46:45 UTC
Now system-config-samba starts.
Using 
selinux-policy-3.6.32-59.fc12.noarch

but when adding sambauser then 
[floki@flokipa ~]$ system-config-samba
Traceback (most recent call last):
  File "/usr/share/system-config-samba/addUserWin.py", line 174, in on_add_user_ok_button_clicked
    elif self.samba_backend.userExists(unix_name):
  File "/usr/lib/python2.6/site-packages/scsamba/dbus/proxy/sambaBackend.py", line 88, in userExists
    return self.dbus_interface.userExists (user)
  File "/usr/lib/python2.6/site-packages/dbus/proxies.py", line 140, in __call__
    **keywords)
  File "/usr/lib/python2.6/site-packages/dbus/connection.py", line 630, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
[floki@flokipa ~]$

Comment 7 Flóki Pálsson 2009-12-20 21:59:08 UTC
There is same reply when selinux is in permisive mode.
running system-config-samba root then it is possible to add samba user.
No sealert.

Comment 8 Flóki Pálsson 2009-12-20 23:10:17 UTC
Created attachment 379533 [details]
 selinux-policy-3.6.32-59.fc12 - sealert 

There is sealet for  selinux-policy-3.6.32-59.fc12

Comment 9 Daniel Walsh 2009-12-21 16:21:58 UTC
You should open a new bug on the sambagui, since it is not abrt/selinux related.

The last problem will be fixed in the next release of abrt and selinux.


Note You need to log in before you can comment on or make changes to this bug.