Bug 560321 - SELinux is preventing /usr/bin/python "execute" access on /tmp/ffiSwFIhF (deleted).
Summary: SELinux is preventing /usr/bin/python "execute" access on /tmp/ffiSwFIhF (del...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b3ac7e3191b...
: 561524 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-30 23:58 UTC by John Bouras
Modified: 2011-08-31 15:40 UTC (History)
5 users (show)

Fixed In Version: 3.6.32-84.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-11 14:43:20 UTC


Attachments (Terms of Use)

Description John Bouras 2010-01-30 23:58:03 UTC
Summary:

SELinux is preventing /usr/bin/python "execute" access on /tmp/ffiSwFIhF
(deleted).

Detailed Description:

SELinux denied access requested by python. It is not expected that this access
is required by python and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:NetworkManager_tmp_t:s0
Target Objects                /tmp/ffiSwFIhF (deleted) [ file ]
Source                        python
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.2-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-73.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18
                              20:06:44 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Sat 30 Jan 2010 06:47:58 PM EST
Last Seen                     Sat 30 Jan 2010 06:47:58 PM EST
Local ID                      d108fb95-566a-4110-9689-2164d4eff54f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1264895278.306:22051): avc:  denied  { execute } for  pid=2534 comm="python" path=2F746D702F666669537746496846202864656C6574656429 dev=dm-0 ino=1002 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1264895278.306:22051): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2533 pid=2534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-73.fc12,catchall,python,NetworkManager_t,NetworkManager_tmp_t,file,execute
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t NetworkManager_tmp_t:file execute;

Comment 1 Daniel Walsh 2010-02-01 19:03:45 UTC
Miroslav, 

Add

can_exec(NetworkManager_t, NetworkManager_tmp_t)

Comment 2 Miroslav Grepl 2010-02-01 19:41:22 UTC
Fixed in selinux-policy-3.6.32-80.fc12

Comment 3 Miroslav Grepl 2010-02-03 22:39:46 UTC
*** Bug 561524 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2010-02-03 23:20:29 UTC
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12

Comment 5 Fedora Update System 2010-02-05 01:45:51 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492

Comment 6 Fedora Update System 2010-02-11 14:38:46 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Rick Graham 2011-08-31 15:12:45 UTC
I am getting this report on fc14, new install.

The python exec is named 'euclid' running as a cgi.  The /tmp file is not one I explicitly create.  Kind of a strange bug, SELinux is denying access to a file that isn't there.  (and there it was, GONE!)

I have enabled reporting as directed in comment 5.

Cheers!

$ uname -a
Linux euclid 2.6.35.14-95.fc14.x86_64 #1 SMP Tue Aug 16 21:01:58 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

*********** SETroubleshoot Details Window *****************


SELinux is preventing /usr/bin/python from execute access on the file /tmp/ffiXJig7F (deleted).

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed execute access on the ffiXJig7F (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep euclid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:httpd_sys_script_t:s0
Target Context                unconfined_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                /tmp/ffiXJig7F (deleted) [ file ]
Source                        euclid
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          euclid
Source RPM Packages           python-2.7-8.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-44.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     euclid
Platform                      Linux euclid 2.6.35.14-95.fc14.x86_64 #1 SMP Tue
                              Aug 16 21:01:58 UTC 2011 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 31 Aug 2011 09:56:57 AM EDT
Last Seen                     Wed 31 Aug 2011 10:06:42 AM EDT
Local ID                      9ff30ed4-5c6d-409f-819e-1e202cb53eac

Raw Audit Messages
type=AVC msg=audit(1314799602.254:550): avc:  denied  { execute } for  pid=8796 comm="euclid" path=2F746D702F666669584A69673746202864656C6574656429 dev=sda3 ino=5488706 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file


type=SYSCALL msg=audit(1314799602.254:550): arch=x86_64 syscall=mmap success=yes exit=140199883816960 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=8769 pid=8796 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=29 comm=euclid exe=/usr/bin/python subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

Hash: euclid,httpd_sys_script_t,httpd_sys_rw_content_t,file,execute

audit2allow

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_rw_content_t:file execute;

audit2allow -R

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_sys_rw_content_t:file execute;

Comment 8 Daniel Walsh 2011-08-31 15:22:43 UTC
This bug has nothing to do with the bug you attached it to.

Comment 9 Rick Graham 2011-08-31 15:31:28 UTC
Except for the actual name of the tmp file, which looks random, the error message is identical.

It looks the same to me, your comment would be helpful if you elaborated, or stated why it's not the same bug.

SELinux is running in permissive mode, this not causing me grief.  I am posting the bug as requested by the report tool.

Comment 10 Daniel Walsh 2011-08-31 15:40:34 UTC
The Original bug is related to NetworkManager the new bug is related to httpd.


I have no idea how you got a /tmp file to be labeled httpd_sys_rw_content_t?  Did you do some relabeling of /tmp?


Note You need to log in before you can comment on or make changes to this bug.