Bug 603948 – SELinux is preventing /usr/bin/python access to a leaked /var/asl/tmp/asl.lock file descriptor.

Bug 603948 - SELinux is preventing /usr/bin/python access to a leaked /var/asl/tmp/asl.lock file descriptor.

Summary:	SELinux is preventing /usr/bin/python access to a leaked /var/asl/tmp/asl.loc...

Status:	CLOSED INSUFFICIENT_DATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	13
Hardware:	i386 Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:	setroubleshoot_trace_hash:0dd9352637b...
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-06-14 19:41 EDT by David
Modified:	2010-07-29 12:53 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-07-29 12:53:22 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description David 2010-06-14 19:41:38 EDT

Summary:

SELinux is preventing /usr/bin/python access to a leaked /var/asl/tmp/asl.lock
file descriptor.

Detailed Description:

[denyhosts.py has a permissive type (denyhosts_t). This access was not denied.]

SELinux denied access requested by the denyhosts.py command. It looks like this
is either a leaked descriptor or denyhosts.py output was redirected to a file it
is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /var/asl/tmp/asl.lock. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:denyhosts_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /var/asl/tmp/asl.lock [ file ]
Source                        denyhosts.py
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-27.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-23.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.5-112.fc13.i686.PAE #1 SMP Thu May 27
                              02:56:20 UTC 2010 i686 i686
Alert Count                   27
First Seen                    Sun 13 Jun 2010 08:20:59 AM EST
Last Seen                     Sun 13 Jun 2010 10:30:44 AM EST
Local ID                      23a0e81e-e39c-478f-a86d-3ab08bfa5850
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1276389044.293:19983): avc:  denied  { read write } for  pid=4900 comm="denyhosts.py" path="/var/asl/tmp/asl.lock" dev=dm-0 ino=14711 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1276389044.293:19983): avc:  denied  { read } for  pid=4900 comm="denyhosts.py" path="/var/asl/data/.check" dev=dm-0 ino=27184 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1276389044.293:19983): avc:  denied  { write } for  pid=4900 comm="denyhosts.py" path=2F6574632F64656E79686F7374732E636F6E662E6E6577202864656C6574656429 dev=dm-0 ino=5862 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1276389044.293:19983): arch=40000003 syscall=11 success=yes exit=0 a0=90f4f80 a1=90f3570 a2=90f3b80 a3=90f3570 items=0 ppid=4899 pid=4900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2910 comm="denyhosts.py" exe="/usr/bin/python" subj=unconfined_u:system_r:denyhosts_t:s0 key=(null)



Hash String generated from  leaks,denyhosts.py,denyhosts_t,var_t,file,read,write
audit2allow suggests:

#============= denyhosts_t ==============
allow denyhosts_t etc_t:file write;
allow denyhosts_t var_t:file { read write };

Comment 1 Daniel Walsh 2010-06-16 13:09:16 EDT

This looks like you edited the denyhosts.py file?

What is /var/asl?

Note You need to log in before you can comment on or make changes to this bug.