Bug 614025 - SELinux is preventing /usr/bin/python "read" access on /home/tadej/.local/lib/python2.6/site-packages.
SELinux is preventing /usr/bin/python "read" access on /home/tadej/.loca...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: python (Show other bugs)
19
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bohuslav "Slavek" Kabrda
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:6ce9f0b9367...
:
: 957539 (view as bug list)
Depends On:
Blocks: 614877
  Show dependency treegraph
 
Reported: 2010-07-13 10:23 EDT by Tadej Janež
Modified: 2015-02-17 08:18 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 614877 (view as bug list)
Environment:
Last Closed: 2015-02-17 08:18:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tadej Janež 2010-07-13 10:23:14 EDT
Summary:

SELinux is preventing /usr/bin/python "read" access on
/home/tadej/.local/lib/python2.6/site-packages.

Detailed Description:

SELinux denied access requested by semanage. It is not expected that this access
is required by semanage and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:object_r:gconf_home_t:s0
Target Objects                /home/tadej/.local/lib/python2.6/site-packages [
                              dir ]
Source                        semanage
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-27.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.5-124.fc13.i686.PAE #1
                              SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 13 Jul 2010 04:20:32 PM CEST
Last Seen                     Tue 13 Jul 2010 04:20:32 PM CEST
Local ID                      0e438d01-d9e9-4d77-b53d-d36d1dc68d7b
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1279030832.905:79): avc:  denied  { read } for  pid=4608 comm="semanage" name="site-packages" dev=dm-1 ino=2900197 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1279030832.905:79): arch=40000003 syscall=5 success=no exit=-13 a0=97ed480 a1=98800 a2=514880 a3=b7772fcc items=0 ppid=4572 pid=4608 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="semanage" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,semanage,semanage_t,gconf_home_t,dir,read
audit2allow suggests:

#============= semanage_t ==============
allow semanage_t gconf_home_t:dir read;
Comment 1 Daniel Walsh 2010-07-13 12:02:34 EDT
Seems like a pretty strange place to be trying to read.  Did you create the subdir  /home/tadej/.local/lib/python2.6/site-packages?
Comment 2 Dave Malcolm 2010-07-13 12:15:31 EDT
This is the per-user site-packages directory.  

See http://docs.python.org/whatsnew/2.6.html#pep-370-per-user-site-packages-directory

Note that "The feature can be disabled entirely by running Python with the
-s option" - perhaps any python application intended to be run from a confined domain needs to have that?

See also http://www.python.org/dev/peps/pep-0370/
Comment 21 Tomas Hoger 2010-07-29 04:04:24 EDT
RHEL6 bug requesting $HOME reset by default - bug #619293.

Includes links to changes applied upstream, that make env_reset reset HOME too, unless HOME is explicitly env_keep-ed.
Comment 22 Fedora Admin XMLRPC Client 2010-11-08 16:48:20 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 23 Fedora Admin XMLRPC Client 2010-11-08 16:49:56 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 24 Fedora Admin XMLRPC Client 2010-11-08 16:51:09 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 25 Tadej Janež 2011-01-30 15:39:02 EST
Any progress on this?
Comment 26 Daniel Walsh 2011-02-01 17:43:09 EST
Well semanage in F14 and Rawhide will no longer look into this file.

Not sure why this is assigned to selinux-policy at this point.

I believe it is a python bug, as well as a sudo problem
Comment 27 Fedora End Of Life 2013-04-03 14:13:32 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 28 Miroslav Grepl 2013-04-29 03:49:22 EDT
*** Bug 957539 has been marked as a duplicate of this bug. ***
Comment 29 Fedora Admin XMLRPC Client 2013-05-10 00:58:05 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 30 Fedora Admin XMLRPC Client 2013-05-10 00:59:53 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 31 Fedora End Of Life 2015-01-09 11:16:42 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 32 Fedora End Of Life 2015-02-17 08:18:04 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.