Bug 586804 - SELinux alert during attempt to install liveCD to disk
SELinux alert during attempt to install liveCD to disk
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: abrt (Show other bugs)
13
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Jiri Moskovcak
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-28 08:02 EDT by cschwangler
Modified: 2015-02-01 17:51 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-06 12:29:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Smolt profile (5.83 KB, text/plain)
2010-04-28 08:17 EDT, cschwangler
no flags Details

  None (edit)
Description cschwangler 2010-04-28 08:02:20 EDT
Description of problem:
I attempted to do a test installation for the F13 XFCE test day and therefore grabbed the nightly build of the liveCD mentioned on the Test Day site. This built has been created on 2010-04-26 (xfce-i386-20100426.16.iso). Checksum of the iso has been verified.
 
I get the following SELinux alert if I attempt to install the nightly built of the XFCE liveCD:


Summary:

SELinux is preventing /usr/libexec/abrt-hook-python access to a leaked /dev/tty3
file descriptor.

Detailed Description:

[abrt-hook-pytho has a permissive type (abrt_helper_t). This access was not
denied.]

SELinux denied access requested by the abrt-hook-pytho command. It looks like
this is either a leaked descriptor or abrt-hook-pytho output was redirected to a
file it is not allowed to access. Leaks usually can be ignored since SELinux is
just closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /dev/tty3. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c
                              1023
Target Context                system_u:object_r:tty_device_t:s0
Target Objects                /dev/tty3 [ chr_file ]
Source                        abrt-hook-pytho
Source Path                   /usr/libexec/abrt-hook-python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           abrt-addon-python-1.0.9-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-2.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux localhost.localdomain 2.6.33.2-57.fc13.i686
                              #1 SMP Tue Apr 20 09:28:45 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Wed 28 Apr 2010 11:45:17 AM EDT
Last Seen                     Wed 28 Apr 2010 11:48:21 AM EDT
Local ID                      f916d878-4713-4602-9ca7-98f91a6e77d4
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1272469701.114:24566): avc:  denied  { append } for  pid=2716 comm="abrt-hook-pytho" path="/dev/tty3" dev=devtmpfs ino=5448 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=localhost.localdomain type=SYSCALL msg=audit(1272469701.114:24566): arch=40000003 syscall=11 success=yes exit=0 a0=92e17d8 a1=94c6c80 a2=bfa667d0 a3=3 items=0 ppid=2715 pid=2716 auid=500 uid=0 gid=0 euid=497 suid=497 fsuid=497 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="abrt-hook-pytho" exe="/usr/libexec/abrt-hook-python" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)



Version-Release number of selected component (if applicable):
Fedora 13 XFCD liveCD built 2010-04-26

How reproducible:
Double click on install to Hard Drive icon

Steps to Reproduce:
1. Double click on install to Hard Drive icon
2. SELinux alert automatically shows up
3. Installation procedure dies
  
Actual results:
SELinux alert prevents installation to hard drive

Expected results:
Installation is possible

Additional info:
I found bug 569662, which is closed and the bug report says that this problem has been fixed 2010-03-10. However, the circumstances of that particular bug seem to be different.
Comment 1 cschwangler 2010-04-28 08:17:36 EDT
Created attachment 409798 [details]
Smolt profile

Added the Smolt profile of the machine.
Comment 2 Kevin Fenzi 2010-04-28 12:25:20 EDT
Moving this over to abrt for comment. Xfce doesn't do anything with the selinux policy, so it sounds like it's a abrt/selinux-policy issue.
Comment 3 cschwangler 2010-04-30 04:12:57 EDT
I did a fresh installation with the 2010-04-29 nightly compose and the problem did not appear again. It seems that the issue in abrt/selinux is fixed.
Comment 4 Jiri Moskovcak 2010-04-30 04:31:38 EDT
Great! Thanks for the info, closing.
Comment 5 cschwangler 2010-05-06 12:29:42 EDT
Did some more installations on different machines. No more problems.

Note You need to log in before you can comment on or make changes to this bug.