Bug 684901 - SELinux is preventing /usr/bin/python from 'setattr' accesses on the directory /proc.
Summary: SELinux is preventing /usr/bin/python from 'setattr' accesses on the director...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:60acc865759...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-14 18:29 UTC by Adam Williamson
Modified: 2014-01-21 23:17 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.9.16-5.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-19 05:54:09 UTC


Attachments (Terms of Use)

Description Adam Williamson 2011-03-14 18:29:13 UTC
SELinux is preventing /usr/bin/python from 'setattr' accesses on the directory /proc.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed setattr access on the proc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:mock_t:s0
Target Context                system_u:object_r:proc_t:s0
Target Objects                /proc [ dir ]
Source                        yum
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.1-6.fc15
Target RPM Packages           filesystem-2.4.37-1.fc15
Policy RPM                    selinux-policy-3.9.16-1.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38-0.rc8.git0.1.fc15.x86_64 #1 SMP
                              Tue Mar 8 08:22:15 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 14 Mar 2011 11:27:43 AM PDT
Last Seen                     Mon 14 Mar 2011 11:27:43 AM PDT
Local ID                      223ecb9d-b184-499c-94a6-d0dd60a8d0f5

Raw Audit Messages
type=AVC msg=audit(1300127263.205:92): avc:  denied  { setattr } for  pid=2781 comm="yum" name="/" dev=proc ino=1 scontext=unconfined_u:system_r:mock_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir


type=SYSCALL msg=audit(1300127263.205:92): arch=x86_64 syscall=chown success=yes exit=0 a0=582e240 a1=0 a2=0 a3=2 items=0 ppid=2755 pid=2781 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:mock_t:s0 key=(null)

Hash: yum,mock_t,proc_t,dir,setattr

audit2allow

#============= mock_t ==============
allow mock_t proc_t:dir setattr;

audit2allow -R

#============= mock_t ==============
allow mock_t proc_t:dir setattr;

Comment 1 Adam Williamson 2011-03-14 18:30:26 UTC
I'm running mock, and hit this among several other alerts:

python   read   compiz-0.9.4-1.fc16.src.rpm
python   read   compiz

Just using mock shouldn't (and didn't used to) cause a bunch of sealert spam.

Comment 2 Daniel Walsh 2011-03-14 18:44:06 UTC
Added dontaudit for this.

Not sure why yum would be doing this, but I would figure it will not cause it to fail.

Comment 3 Daniel Walsh 2011-03-14 18:45:30 UTC
Fixed in selinux-policy-3.9.16-4.fc15

Comment 4 Adam Williamson 2011-03-15 19:29:42 UTC
Indeed, the alerts don't cause the mock transaction to fail, they're just 'noise'. Will check the fix, thanks.

Comment 5 Fedora Update System 2011-03-17 15:29:01 UTC
selinux-policy-3.9.16-5.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-5.fc15

Comment 6 Adam Williamson 2011-03-17 19:55:47 UTC
Well, this seems to solve the particular alert I listed here, but I'm still hitting some others:

-------------------------

SELinux is preventing /usr/bin/python from read access on the file /home/adamw/build/compiz/compiz-0.9.4-1.fc16.src.rpm.

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow mock to read files in home directories.
Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean.
Do
setsebool -P mock_enable_homedirs 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that python should be allowed read access on the compiz-0.9.4-1.fc16.src.rpm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mock_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/adamw/build/compiz/compiz-0.9.4-1.fc16.src.r
                              pm [ file ]
Source                        mock
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          adam
Source RPM Packages           python-2.7.1-6.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     adam
Platform                      Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15
                              05:29:00 UTC 2011 x86_64 x86_64
Alert Count                   11
First Seen                    Mon 14 Mar 2011 05:21:18 PM PDT
Last Seen                     Thu 17 Mar 2011 12:54:28 PM PDT
Local ID                      133763ac-c4c8-44b6-9725-acc5151df089

Raw Audit Messages
type=AVC msg=audit(1300391668.780:312): avc:  denied  { read } for  pid=28209 comm="mock" name="compiz-0.9.4-1.fc16.src.rpm" dev=dm-1 ino=918424 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=AVC msg=audit(1300391668.780:312): avc:  denied  { open } for  pid=28209 comm="mock" name="compiz-0.9.4-1.fc16.src.rpm" dev=dm-1 ino=918424 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1300391668.780:312): arch=x86_64 syscall=open success=yes exit=EIO a0=15e1850 a1=0 a2=1b6 a3=302d7a69706d6f63 items=0 ppid=28208 pid=28209 auid=501 uid=501 gid=486 euid=501 suid=0 fsuid=501 egid=486 sgid=486 fsgid=486 tty=pts0 ses=1 comm=mock exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0 key=(null)

Hash: mock,mock_t,user_home_t,file,read

audit2allow

#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'

allow mock_t user_home_t:file { read open };

audit2allow -R

#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'

allow mock_t user_home_t:file { read open };

------------------------------

SELinux is preventing /usr/bin/python from read access on the directory /home/adamw/build/compiz.

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow mock to read files in home directories.
Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean.
Do
setsebool -P mock_enable_homedirs 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that python should be allowed read access on the compiz directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:mock_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/adamw/build/compiz [ dir ]
Source                        yum
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          adam
Source RPM Packages           python-2.7.1-6.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     adam
Platform                      Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15
                              05:29:00 UTC 2011 x86_64 x86_64
Alert Count                   8
First Seen                    Mon 14 Mar 2011 05:22:49 PM PDT
Last Seen                     Thu 17 Mar 2011 12:54:30 PM PDT
Local ID                      144f748b-0187-4e13-aa4a-77db307d3188

Raw Audit Messages
type=AVC msg=audit(1300391670.565:313): avc:  denied  { read } for  pid=28313 comm="yum" name="compiz" dev=dm-1 ino=918053 scontext=unconfined_u:system_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1300391670.565:313): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=3abd4509a7 a1=0 a2=2f746f a3=fffffffffffffff0 items=0 ppid=28209 pid=28313 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:mock_t:s0 key=(null)

Hash: yum,mock_t,user_home_t,dir,read

audit2allow

#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'

allow mock_t user_home_t:dir read;

audit2allow -R

#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'

allow mock_t user_home_t:dir read;

-----------------------------

SELinux is preventing /usr/bin/python from read access on the directory /home/adamw/build/compiz.

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow mock to read files in home directories.
Then you must tell SELinux about this by enabling the 'mock_enable_homedirs' boolean.
Do
setsebool -P mock_enable_homedirs 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that python should be allowed read access on the compiz directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum-builddep /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mock_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/adamw/build/compiz [ dir ]
Source                        yum-builddep
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          adam
Source RPM Packages           python-2.7.1-6.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     adam
Platform                      Linux adam 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15
                              05:29:00 UTC 2011 x86_64 x86_64
Alert Count                   4
First Seen                    Mon 14 Mar 2011 05:23:19 PM PDT
Last Seen                     Thu 17 Mar 2011 12:54:53 PM PDT
Local ID                      63fbeec8-8cd7-42e9-a861-ed701778b8e4

Raw Audit Messages
type=AVC msg=audit(1300391693.372:317): avc:  denied  { read } for  pid=28332 comm="yum-builddep" name="compiz" dev=dm-1 ino=918053 scontext=unconfined_u:unconfined_r:mock_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1300391693.372:317): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=3abd4509a7 a1=0 a2=2f746f a3=fffffffffffffff0 items=0 ppid=28209 pid=28332 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum-builddep exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0 key=(null)

Hash: yum-builddep,mock_t,user_home_t,dir,read

audit2allow

#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'

allow mock_t user_home_t:dir read;

audit2allow -R

#============= mock_t ==============
#!!!! This avc can be allowed using the boolean 'mock_enable_homedirs'

allow mock_t user_home_t:dir read;

Comment 7 Daniel Walsh 2011-03-17 21:00:38 UTC
Did you by any chance read the alert before reporting it?

Comment 8 Adam Williamson 2011-03-17 21:29:49 UTC
oh, I missed that, selinux reports tend to make my eyes glaze over for whatever reason. is this a change, though? it never used to happen.

It still doesn't seem right that perfectly normal use of mock - check out a Fedora package, do 'fedpkg srpm', run mock on the srpm - should throw an selinux alert. Or rather, three. That doesn't feel right to me.

Comment 9 Daniel Walsh 2011-03-18 13:50:03 UTC
I think the goal of the mock policy is more to protect the mock servers where jobs are being submitted then the user just running mock.  We have just added mock policy in F14 I believe.

Comment 10 Daniel Walsh 2011-03-18 13:55:03 UTC

Miroslav, lets default the boolean to on, and advise admins to turn this off on servers.

mock_enable_homedirs

Comment 11 Fedora Update System 2011-03-19 05:53:13 UTC
selinux-policy-3.9.16-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.