679328 – SELinux is preventing /usr/bin/python from 'read' accesses on the file /home/frank/Downloads/chromium-10.0.634.0-1.fc14.src.rpm.

Bug 679328 - SELinux is preventing /usr/bin/python from 'read' accesses on the file /home/frank/Downloads/chromium-10.0.634.0-1.fc14.src.rpm.

Summary: SELinux is preventing /usr/bin/python from 'read' accesses on the file /home/...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:d025fd260a2...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-22 09:36 UTC by Frank Murphy
Modified:	2011-03-10 03:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.9.16-1.fc15
Clone Of:
Environment:
Last Closed:	2011-03-10 03:10:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Home policy file 1 (159 bytes, text/plain) 2011-02-22 12:01 UTC, Frank Murphy	no flags	Details
Home 2 (1.28 KB, text/plain) 2011-02-22 12:01 UTC, Frank Murphy	no flags	Details
home3 (1.26 KB, application/octet-stream) 2011-02-22 12:02 UTC, Frank Murphy	no flags	Details
home4 (155 bytes, text/plain) 2011-02-22 12:02 UTC, Frank Murphy	no flags	Details
home5 (641 bytes, text/plain) 2011-02-22 12:03 UTC, Frank Murphy	no flags	Details
home6 (241 bytes, text/plain) 2011-02-22 12:03 UTC, Frank Murphy	no flags	Details
home3 (1.26 KB, text/plain) 2011-02-22 12:05 UTC, Frank Murphy	no flags	Details
Show Obsolete (1) View All

Description Frank Murphy 2011-02-22 09:36:46 UTC

SELinux is preventing /usr/bin/python from 'read' accesses on the file /home/frank/Downloads/chromium-10.0.634.0-1.fc14.src.rpm.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed read access on the chromium-10.0.634.0-1.fc14.src.rpm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/frank/Downloads/chromium-10.0.634.0-1.fc14.s
                              rc.rpm [ file ]
Source                        mock
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.1-6.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.14-2.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux test06.frankly3d.local
                              2.6.38-0.rc5.git5.1.fc15.x86_64 #1 SMP Sun Feb 20
                              04:29:44 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 22 Feb 2011 09:32:33 GMT
Last Seen                     Tue 22 Feb 2011 09:32:33 GMT
Local ID                      1526f61a-3aa0-4344-bf47-35e2de963590

Raw Audit Messages
type=AVC msg=audit(1298367153.343:47): avc:  denied  { read } for  pid=2123 comm="mock" name="chromium-10.0.634.0-1.fc14.src.rpm" dev=dm-5 ino=785155 scontext=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=AVC msg=audit(1298367153.343:47): avc:  denied  { open } for  pid=2123 comm="mock" name="chromium-10.0.634.0-1.fc14.src.rpm" dev=dm-5 ino=785155 scontext=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1298367153.343:47): arch=x86_64 syscall=open per=8 success=yes exit=EIO a0=11c9130 a1=0 a2=1ff a3=7f7a0f40adc0 items=0 ppid=2122 pid=2123 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=mock exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 key=(null)

Hash: mock,mock_t,user_home_t,file,read

audit2allow

#============= mock_t ==============
#!!!! This avc is allowed in the current policy

allow mock_t user_home_t:file { read open };

audit2allow -R

#============= mock_t ==============
#!!!! This avc is allowed in the current policy

allow mock_t user_home_t:file { read open };

Comment 1 Miroslav Grepl 2011-02-22 11:19:34 UTC

Are you seeing any other AVC msgs related to mock?

I guess we could allow it.

Comment 2 Frank Murphy 2011-02-22 11:28:12 UTC

I got about 10 in total, I used the sugggested fix "mypol++" suggestions for all, but deleted the original reports.

Comment 3 Miroslav Grepl 2011-02-22 11:41:27 UTC

Could you add your local policy?

Comment 4 Frank Murphy 2011-02-22 11:45:25 UTC

(In reply to comment #3)
> Could you add your local policy?

The *.te or the *.pp

Comment 5 Miroslav Grepl 2011-02-22 11:51:20 UTC

*.te policy file.

Comment 6 Frank Murphy 2011-02-22 12:01:13 UTC

Created attachment 480115 [details]
Home policy file 1

Comment 7 Frank Murphy 2011-02-22 12:01:45 UTC

Created attachment 480116 [details]
Home 2

Comment 8 Frank Murphy 2011-02-22 12:02:11 UTC

Created attachment 480117 [details]
home3

Comment 9 Frank Murphy 2011-02-22 12:02:41 UTC

Created attachment 480118 [details]
home4

Comment 10 Frank Murphy 2011-02-22 12:03:06 UTC

Created attachment 480119 [details]
home5

Comment 11 Frank Murphy 2011-02-22 12:03:31 UTC

Created attachment 480120 [details]
home6

Comment 12 Frank Murphy 2011-02-22 12:05:03 UTC

Created attachment 480121 [details]
home3

Comment 13 Miroslav Grepl 2011-02-22 12:19:59 UTC

Thank you. I am trying to test it and I am seeing the same issues.

Comment 14 Daniel Walsh 2011-02-22 15:00:57 UTC

What is the command to make this happen?

Comment 15 Miroslav Grepl 2011-02-22 15:06:25 UTC

# mock -r fedora-15-x86_64 --rebuild selinux-policy-3.9.15-2.fc15.src.rpm


selinux-policy-3.9.1502.fc15.src.rpm is located in my ~/

Comment 16 Miroslav Grepl 2011-02-22 15:37:22 UTC

So I was able to build policy package using mock with this rules

---

manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
allow mock_t mock_var_lib_t:dir relabel_dir_perms;
allow mock_t mock_var_lib_t:file relabel_file_perms;

dev_read_sysfs(mock_t)

fs_manage_cgroup_dirs(mock_t)

init_stream_connect(mock_t)

userdom_use_user_ptys(mock_t)
userdom_read_user_home_content_files(mock_t)

---

in eforcing mode without permissive domain for mock_t domain.

Comment 17 Daniel Walsh 2011-02-23 16:27:18 UTC

Lets add a boolean for this

mock_enable_homed_dirs, turned on by default.


Not sure about the manage_cgroup_dirs, and could we do init_dontaudit_stream_connect?

Comment 18 Miroslav Grepl 2011-02-23 16:35:18 UTC

(In reply to comment #17)
> Lets add a boolean for this
> 
> mock_enable_homed_dirs, turned on by default.

Boolean is fine.

> 
> 
> Not sure about the manage_cgroup_dirs,

Take a look at it more.

> and could we do
> init_dontaudit_stream_connect?

Oops, yes. Copy/paste error. It works without init_stream_connect(mock_t).

Comment 19 Miroslav Grepl 2011-02-25 14:02:51 UTC

Fixed in selinux-policy-3.9.15-3.fc15

Comment 20 Fedora Update System 2011-03-08 15:39:49 UTC

selinux-policy-3.9.16-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-1.fc15

Comment 21 Fedora Update System 2011-03-10 03:09:49 UTC

selinux-policy-3.9.16-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.