Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 593478 - [abrt] crash in policycoreutils-python-2.0.82-4.fc12: audit2allow:43:__parse_options:ValueError: unable to open /etc/selinux/targeted/policy/policy.24: Permission denied
[abrt] crash in policycoreutils-python-2.0.82-4.fc12: audit2allow:43:__parse_...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
12
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
abrt_hash:f41ab650
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-18 17:37 EDT by Brian Whitehead
Modified: 2010-05-21 09:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-21 09:27:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (572 bytes, text/plain)
2010-05-18 17:37 EDT, Brian Whitehead
no flags Details

  None (edit)
Description Brian Whitehead 2010-05-18 17:37:44 EDT
abrt 1.0.9 detected a crash.

architecture: x86_64
cmdline: /usr/bin/python -E /usr/bin/audit2allow -i /tmp/tmp1dbfLk
component: policycoreutils
executable: /usr/bin/audit2allow
kernel: 2.6.32.11-99.fc12.x86_64
package: policycoreutils-python-2.0.82-4.fc12
reason: audit2allow:43:__parse_options:ValueError: unable to open /etc/selinux/targeted/policy/policy.24:  Permission denied
release: Fedora release 12 (Constantine)

backtrace
-----
audit2allow:43:__parse_options:ValueError: unable to open /etc/selinux/targeted/policy/policy.24:  Permission denied


Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 344, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 334, in main
    self.__parse_options()
  File "/usr/bin/audit2allow", line 43, in __parse_options
    from optparse import OptionParser
ValueError: unable to open /etc/selinux/targeted/policy/policy.24:  Permission denied


Local variables in innermost frame:
self: <__main__.AuditToPolicy instance at 0x17be6c8>
Comment 1 Brian Whitehead 2010-05-18 17:37:45 EDT
Created attachment 414969 [details]
File: backtrace
Comment 2 Daniel Walsh 2010-05-19 09:03:44 EDT
Brian is your machine properly labeled?

/etc/selinux/targeted/policy/policy.24 usually readable by users?
Comment 3 Brian Whitehead 2010-05-19 09:51:01 EDT
I did the /.autorelabel twice yesterday because I was seeing many selinux denials.  They actually got worse after the relabel.  

Interestingly, this policy.24 file doesn't even exist.  

-(0)> ls -la /etc/selinux/targeted/policy/
total 1828
drwxr-xr-x 2 root root    4096 May 17 16:02 ./
drwxr-xr-x 5 root root    4096 May 17 16:02 ../
-rw-r--r-- 1 root root 1843414 May 17 16:02 policy.21
Comment 4 Brian Whitehead 2010-05-19 09:54:20 EDT
(In reply to comment #3)
> I did the /.autorelabel twice yesterday because I was seeing many selinux
> denials.  They actually got worse after the relabel.  
> 
> Interestingly, this policy.24 file doesn't even exist.  
> 
> -(0)> ls -la /etc/selinux/targeted/policy/
> total 1828
> drwxr-xr-x 2 root root    4096 May 17 16:02 ./
> drwxr-xr-x 5 root root    4096 May 17 16:02 ../
> -rw-r--r-- 1 root root 1843414 May 17 16:02 policy.21    

Sorry, mispoke.  I was on the wrong system.  The file is there

--(0)> ls -laZ /etc/selinux/targeted/policy/
drwxr-xr-x. root root system_u:object_r:semanage_store_t:s0 ./
drwxr-xr-x. root root system_u:object_r:selinux_config_t:s0 ../
-rw-r-----. root root unconfined_u:object_r:semanage_store_t:s0 policy.24

--(0)> sudo restorecon /etc/selinux/targeted/policy/policy.24

--(0)> ls -laZ /etc/selinux/targeted/policy/
drwxr-xr-x. root root system_u:object_r:semanage_store_t:s0 ./
drwxr-xr-x. root root system_u:object_r:selinux_config_t:s0 ../
-rw-r-----. root root unconfined_u:object_r:semanage_store_t:s0 policy.24
Comment 5 Daniel Walsh 2010-05-19 14:08:26 EDT
chmod +r /etc/selinux/targeted/policy/policy.24
Comment 6 Daniel Walsh 2010-05-19 14:09:02 EDT
Did you have all the bugs on user_home_t?
Comment 7 Brian Whitehead 2010-05-19 16:33:09 EDT
(In reply to comment #5)
> chmod +r /etc/selinux/targeted/policy/policy.24    

Done.  I'm curious how it got changed.  I confirmed that `rpm --setperms selinux-policy-targeted` set it back to 644.
Comment 8 Brian Whitehead 2010-05-19 16:34:16 EDT
(In reply to comment #6)
> Did you have all the bugs on user_home_t?    

Yes, I got about 50 denials after touching /.autorelabel and rebooting.
Comment 9 Daniel Walsh 2010-05-19 16:56:38 EDT
I think you might have an entry in /etc/passwd that SELinux thinks is a user.

grep share /etc/passwd
Comment 10 Brian Whitehead 2010-05-19 18:19:20 EDT
(In reply to comment #9)
> I think you might have an entry in /etc/passwd that SELinux thinks is a user.
> 
> grep share /etc/passwd    

Is it looking at the UID > 500 or an account with a home in /usr/share with a valid shell?

smolt:x:495:487:Smolt:/usr/share/smolt:/sbin/nologin
cacti:x:486:469::/usr/share/cacti:/sbin/nologin
netdisco:x:501:501::/usr/share/netdisco/:/bin/sh
Comment 11 Daniel Walsh 2010-05-21 09:27:31 EDT
Both.  Can you change netdisco to /sbin/nologin or its uid < 501.

This should clean up the problem.

After doing this, execute

# genhomedircon
# restorecon -R -v /usr/share

In F13 the genhomedircon functionality will be turned off by default.  So this will  not happen.

Note You need to log in before you can comment on or make changes to this bug.