Bug 625993 - SELinux is preventing /bin/bash from executing autoconnect.py.
Summary: SELinux is preventing /bin/bash from executing autoconnect.py.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 12
Hardware: x86_64 Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:89d8fd1fae0...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-21 10:30 UTC by Zdenek Sedlak
Modified: 2010-12-14 18:57 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.6.32-123.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-14 06:34:32 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Zdenek Sedlak 2010-08-21 10:30:36 UTC
Summary:

SELinux is preventing /bin/bash from executing autoconnect.py.

Detailed Description:

SELinux has denied the 91wicd from executing autoconnect.py. If 91wicd is
supposed to be able to execute autoconnect.py, this could be a labeling problem.
Most confined domains are allowed to execute files labeled bin_t. So you could
change the labeling on this file to bin_t and retry the application. If this
91wicd is not supposed to execute autoconnect.py, this could signal an intrusion
attempt.

Allowing Access:

If you want to allow 91wicd to execute autoconnect.py: chcon -t bin_t
'autoconnect.py' If this fix works, please update the file context on disk, with
the following command: semanage fcontext -a -t bin_t 'autoconnect.py' Please
specify the full path to the executable, Please file a bug report to make sure
this becomes the default labeling.

Additional Information:

Source Context                system_u:system_r:hald_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                autoconnect.py [ file ]
Source                        91wicd
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.0.38-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-120.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.16-150.fc12.x86_64
                              #1 SMP Sat Jul 24 05:19:12 UTC 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Fri 20 Aug 2010 11:44:44 PM CEST
Last Seen                     Sat 21 Aug 2010 12:29:19 PM CEST
Local ID                      56c44329-c481-4f5b-9c71-5d7494a95ebc
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1282386559.536:35141): avc:  denied  { execute } for  pid=27422 comm="91wicd" name="autoconnect.py" dev=dm-2 ino=2367468 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1282386559.536:35141): arch=c000003e syscall=21 success=no exit=-13 a0=27de100 a1=1 a2=7fffd168e780 a3=10 items=0 ppid=27421 pid=27422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="91wicd" exe="/bin/bash" subj=system_u:system_r:hald_t:s0 key=(null)



Hash String generated from  execute,91wicd,hald_t,usr_t,file,execute
audit2allow suggests:

#============= hald_t ==============
allow hald_t usr_t:file execute;

Comment 1 Miroslav Grepl 2010-08-22 22:57:22 UTC
Execute

chcon -Rt bin_t  /usr/share/wicd/daemon/

Should fix for now.

Comment 2 Miroslav Grepl 2010-09-01 12:35:16 UTC
Fixed in  selinux-policy-3.6.32-122.fc12

Comment 3 Fedora Update System 2010-10-01 08:49:02 UTC
selinux-policy-3.6.32-123.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-123.fc12

Comment 4 Fedora Update System 2010-10-05 09:33:31 UTC
selinux-policy-3.6.32-123.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-123.fc12

Comment 5 Zdenek Sedlak 2010-10-06 07:06:00 UTC
Ok, no more errors in audit log.

Comment 6 Daniel Walsh 2010-10-06 12:52:42 UTC
Please update karma.

Comment 7 Zdenek Sedlak 2010-10-06 13:16:15 UTC
I've added a feedback here: https://bugzilla.redhat.com/show_bug.cgi?id=625993. Where I can update the karma? (I'm the Anonymous Tester :-D)

Comment 8 Daniel Walsh 2010-10-06 14:20:44 UTC
Ok Updating feedback from Known Testers, updates the karma.  But thanks for the feedback.

Comment 9 Fedora Update System 2010-10-14 06:33:43 UTC
selinux-policy-3.6.32-123.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.