Bug 606581 - SELinux is preventing /usr/bin/python "sendto" access on /tmp/sectool/519a5c5417977630c8b5c4004b8d1b34630a1576.
Summary: SELinux is preventing /usr/bin/python "sendto" access on /tmp/sectool/51...
Alias: None
Product: Fedora
Classification: Fedora
Component: sectool
Version: 13
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Peter Vrabec
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:89fe6060ab6...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-06-22 02:15 UTC by William Hill
Modified: 2011-03-12 20:55 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-07-06 17:08:58 UTC

Attachments (Terms of Use)

Description William Hill 2010-06-22 02:15:33 UTC

SELinux is preventing /usr/bin/python "sendto" access on

Detailed Description:

SELinux denied access requested by sectool-mechani. It is not expected that this
access is required by sectool-mechani and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:sectoolm_t:SystemLow-SystemHigh
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
Target Objects                /tmp/sectool/519a5c5417977630c8b5c4004b8d1b34630a1
                              576 [ unix_dgram_socket ]
Source                        sectool-mechani
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-27.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-23.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                     #1 SMP Fri Jun 11
                              09:42:24 UTC 2010 i686 i686
Alert Count                   28
First Seen                    Mon 21 Jun 2010 09:57:56 PM EDT
Last Seen                     Mon 21 Jun 2010 09:58:02 PM EDT
Local ID                      95c9f499-be92-4758-afa7-e175425fc06b
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277171882.325:24871): avc:  denied  { sendto } for  pid=9251 comm="sectool-mechani" path="/tmp/sectool/519a5c5417977630c8b5c4004b8d1b34630a1576" scontext=system_u:system_r:sectoolm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

node=(removed) type=SYSCALL msg=audit(1277171882.325:24871): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfec7d10 a2=a0a10c a3=9bdb4d0 items=0 ppid=1 pid=9251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sectool-mechani" exe="/usr/bin/python" subj=system_u:system_r:sectoolm_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,sectool-mechani,sectoolm_t,unconfined_t,unix_dgram_socket,sendto
audit2allow suggests:

#============= sectoolm_t ==============
allow sectoolm_t unconfined_t:unix_dgram_socket sendto;

Comment 1 Daniel Walsh 2010-06-22 12:30:34 UTC
Is the sectool supposed to be communicating with a user socket?  Why is this not just doing dbus communications?

Comment 2 Daniel Walsh 2010-06-22 12:32:28 UTC
Miroslav we need to add


Comment 3 Miroslav Grepl 2010-06-28 14:06:10 UTC
Fixed in selinux-policy-3.7.19-32.fc13

Comment 4 Fedora Update System 2010-06-30 19:54:39 UTC
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.

Comment 5 Fedora Update System 2010-07-01 18:48:31 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 6 Fedora Update System 2010-07-06 17:06:57 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.