Bug 678134 - SELinux is preventing /usr/bin/python from 'create' accesses on the directory updates-testing-debuginfo.
Summary: SELinux is preventing /usr/bin/python from 'create' accesses on the directory...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b3c82704cfa...
: 679585 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-16 20:51 UTC by Jóhann B. Guðmundsson
Modified: 2011-04-26 13:27 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-24 18:06:36 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jóhann B. Guðmundsson 2011-02-16 20:51:50 UTC 
SELinux is preventing /usr/bin/python from 'create' accesses on the directory updates-testing-debuginfo.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed create access on the updates-testing-debuginfo directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-debuginfo- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:root_t:s0
Target Objects                updates-testing-debuginfo [ dir ]
Source                        abrt-debuginfo-
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.1-6.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.14-2.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38-0.rc5.git0.1.fc15.x86_64 #1 SMP Wed Feb 16
                              05:15:25 UTC 2011 x86_64 x86_64
Alert Count                   24
First Seen                    Wed 16 Feb 2011 09:10:57 AM GMT
Last Seen                     Wed 16 Feb 2011 08:35:32 PM GMT
Local ID                      8d545deb-bfe6-48e2-922e-2b77bd49ee1c

Raw Audit Messages
type=AVC msg=audit(1297888532.138:516): avc:  denied  { create } for  pid=3371 comm="abrt-debuginfo-" name="updates-testing-debuginfo" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir


type=SYSCALL msg=audit(1297888532.138:516): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=1321840 a1=1ed a2=3b1c1b7848 a3=6470752f35312f34 items=0 ppid=888 pid=3371 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-debuginfo- exe=/usr/bin/python subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: abrt-debuginfo-,abrt_t,root_t,dir,create

audit2allow

#============= abrt_t ==============
allow abrt_t root_t:dir create;

audit2allow -R

#============= abrt_t ==============
allow abrt_t root_t:dir create;
Comment 1 Daniel Walsh 2011-02-16 21:56:13 UTC 
This looks like your machine is badly mislabeled.

fixfiles restore

How did you install it?
Comment 2 Jóhann B. Guðmundsson 2011-02-16 22:11:58 UTC 
TC2 DVD Network install from within Anaconda un-hashed local installation repo ( DVD ) enabled F15 and F15 updates-testing and voila.

Kudos to team Anaconda for this one :)

For those of us that have fat bandwith it delivers a fully updated installed system as opposed having to install first from the dvd then update the system.

How does the system get label at install time?
Comment 3 Jóhann B. Guðmundsson 2011-02-16 22:21:11 UTC 
Note running fixfiles restore produce 2 error msg..

libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
/usr/sbin/semodule:  Failed!
*******************************************************************************
******************************************************************************filespec_add:  conflicting specifications for /var/spool/plymouth/boot.log and /var/log/boot.log, using system_u:object_r:plymouthd_var_log_t:s0.
**
***************************************************************************
Comment 4 Daniel Walsh 2011-02-17 13:40:18 UTC 
Something very strange is going on.
Comment 5 Raphos 2011-02-18 22:05:38 UTC 
Hi,

I got the same problem.

I did what SElinux told me : 

[root@localhost ~]# grep abrt-debuginfo- /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

and then : 

[root@localhost ~]# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!
Comment 6 Daniel Walsh 2011-02-21 23:21:48 UTC 
Can you attempt 

yum reinstall selinux-policy-targeted
Comment 7 Miroslav Grepl 2011-02-22 23:23:53 UTC 
Ok, 
I have tried to install Fedora 15 Alpha RC2 (net install) and I am seeing all these issues. I mean there is a lot of bad labels and also 

libsemanage.semanage_link_sandbox: Could not access sandbox base file

issue.
Comment 8 Miroslav Grepl 2011-02-22 23:42:32 UTC 
Well, 

yum reinstall selinux-policy-targeted

solved 

libsemanage.semanage_link_sandbox: Could not access sandbox base file

issue. So it looks something bad happens during install.
Comment 9 Jóhann B. Guðmundsson 2011-02-22 23:47:40 UTC 
I'm wondering if this is something specific to network installations? 

I'll perform a fresh of the latest dvd install ( or livecd ) tomorrow on my i386 
and see what selinux issues are present after that.
Comment 10 Miroslav Grepl 2011-02-23 08:21:32 UTC 
*** Bug 679585 has been marked as a duplicate of this bug. ***
Comment 11 Miroslav Grepl 2011-02-23 14:19:14 UTC 
Well, I think it could be a problem with rpm (#678644).
Comment 12 Miroslav Grepl 2011-02-23 14:54:11 UTC 
And F15 Alpha live image works fine. So I believe this is really rpm problem.
Comment 13 Jóhann B. Guðmundsson 2011-02-24 16:02:14 UTC 
Yeah I tested both local install and network install off alpha this was not present so I think this can be closed as fixed or notabug
Comment 14 Richard Vijay 2011-03-18 00:29:04 UTC 
Encountered the same issue with my 64bit alpha on i7
Note You need to log in before you can comment on or make changes to this bug.