Summary: SELinux is preventing /usr/bin/python "execute" access on /tmp/ffiSwFIhF (deleted). Detailed Description: SELinux denied access requested by python. It is not expected that this access is required by python and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:NetworkManager_tmp_t:s0 Target Objects /tmp/ffiSwFIhF (deleted) [ file ] Source python Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.2-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-73.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686 Alert Count 1 First Seen Sat 30 Jan 2010 06:47:58 PM EST Last Seen Sat 30 Jan 2010 06:47:58 PM EST Local ID d108fb95-566a-4110-9689-2164d4eff54f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1264895278.306:22051): avc: denied { execute } for pid=2534 comm="python" path=2F746D702F666669537746496846202864656C6574656429 dev=dm-0 ino=1002 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_tmp_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1264895278.306:22051): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2533 pid=2534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-73.fc12,catchall,python,NetworkManager_t,NetworkManager_tmp_t,file,execute audit2allow suggests: #============= NetworkManager_t ============== allow NetworkManager_t NetworkManager_tmp_t:file execute;
Miroslav, Add can_exec(NetworkManager_t, NetworkManager_tmp_t)
Fixed in selinux-policy-3.6.32-80.fc12
*** Bug 561524 has been marked as a duplicate of this bug. ***
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
I am getting this report on fc14, new install. The python exec is named 'euclid' running as a cgi. The /tmp file is not one I explicitly create. Kind of a strange bug, SELinux is denying access to a file that isn't there. (and there it was, GONE!) I have enabled reporting as directed in comment 5. Cheers! $ uname -a Linux euclid 2.6.35.14-95.fc14.x86_64 #1 SMP Tue Aug 16 21:01:58 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux *********** SETroubleshoot Details Window ***************** SELinux is preventing /usr/bin/python from execute access on the file /tmp/ffiXJig7F (deleted). ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed execute access on the ffiXJig7F (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep euclid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:httpd_sys_script_t:s0 Target Context unconfined_u:object_r:httpd_sys_rw_content_t:s0 Target Objects /tmp/ffiXJig7F (deleted) [ file ] Source euclid Source Path /usr/bin/python Port <Unknown> Host euclid Source RPM Packages python-2.7-8.fc14.1 Target RPM Packages Policy RPM selinux-policy-3.9.7-44.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name euclid Platform Linux euclid 2.6.35.14-95.fc14.x86_64 #1 SMP Tue Aug 16 21:01:58 UTC 2011 x86_64 x86_64 Alert Count 3 First Seen Wed 31 Aug 2011 09:56:57 AM EDT Last Seen Wed 31 Aug 2011 10:06:42 AM EDT Local ID 9ff30ed4-5c6d-409f-819e-1e202cb53eac Raw Audit Messages type=AVC msg=audit(1314799602.254:550): avc: denied { execute } for pid=8796 comm="euclid" path=2F746D702F666669584A69673746202864656C6574656429 dev=sda3 ino=5488706 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file type=SYSCALL msg=audit(1314799602.254:550): arch=x86_64 syscall=mmap success=yes exit=140199883816960 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=8769 pid=8796 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=29 comm=euclid exe=/usr/bin/python subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) Hash: euclid,httpd_sys_script_t,httpd_sys_rw_content_t,file,execute audit2allow #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_rw_content_t:file execute; audit2allow -R #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_rw_content_t:file execute;
This bug has nothing to do with the bug you attached it to.
Except for the actual name of the tmp file, which looks random, the error message is identical. It looks the same to me, your comment would be helpful if you elaborated, or stated why it's not the same bug. SELinux is running in permissive mode, this not causing me grief. I am posting the bug as requested by the report tool.
The Original bug is related to NetworkManager the new bug is related to httpd. I have no idea how you got a /tmp file to be labeled httpd_sys_rw_content_t? Did you do some relabeling of /tmp?