Hide Forgot
SELinux is preventing /usr/bin/python from 'mac_admin' accesses on the capability2 Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed mac_admin access on the Unknown capability2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep yum /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 Target Context unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 Target Objects Unknown [ capability2 ] Source yum Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.4-27.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-89.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.34.8-68.fc13.x86_64 #1 SMP Thu Feb 17 15:03:58 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Thu 24 Mar 2011 04:37:13 PM CET Last Seen Thu 24 Mar 2011 04:37:13 PM CET Local ID 8c5e6545-cf04-42cd-8643-a1af5da784f8 Raw Audit Messages type=AVC msg=audit(1300981033.222:24): avc: denied { mac_admin } for pid=2786 comm="yum" capability=33 scontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=capability2 type=SYSCALL msg=audit(1300981033.222:24): arch=x86_64 syscall=lsetxattr success=no exit=EINVAL a0=e14db00 a1=3ba2215d6a a2=e15b9f0 a3=2b items=0 ppid=2513 pid=2786 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 key=(null) Hash: yum,rpm_t,rpm_t,capability2,mac_admin audit2allow #============= rpm_t ============== allow rpm_t self:capability2 mac_admin; audit2allow -R #============= rpm_t ============== allow rpm_t self:capability2 mac_admin;
What were you doing when this happened?
I was using Konsole (the kde program) and worked in a chrooted environment. I had mounted the partition of my Fedora Rawhide release and chrooted in it to update the system, because it's preventing to start.
Which means you were attempting to put down rawhide labels while running with an F13 Kernel/Policy. THis is why you are getting mac_admin avc. Which is expected. I guess if you want to put down these labels you would either need to add the rule using audit2allow or run the machine in permissive mode. We do not want apps to be allowed to put down random SELinux labels that are not understood by the kernel. (ALthough livecd is allowed to do this.)
this also happens when installing a F16-beta (UEFI) Steps to reproduce: 1. install F16-beta (via UEFI) 1.a) login with new created account (in admin group) 1.b) open Terminal 1.c) become root (sudo su -) 2. yum remove grub 3. yum upgrade grubby 4. yum -y upgrade AVC denial pops up
In response to comment #4, can you attach the raw audit logs in question?
Pleas attach the output from. ausearch -m avc -i
*** Bug 743947 has been marked as a duplicate of this bug. ***
[root@localhost ~]# ausearch -m avc -i ---- type=SYSCALL msg=audit(10/05/2011 18:36:55.773:109) : arch=x86_64 syscall=lsetxattr success=no exit=-22(Invalid argument) a0=b75d180 a1=7fe00be4e21b a2=b75d1b0 a3=23 items=0 ppid=2090 pid=3366 auid=baumanmo uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(10/05/2011 18:36:55.773:109) : avc: denied { mac_admin } for pid=3366 comm=yum capability=mac_admin scontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=capability2 ---- type=SYSCALL msg=audit(10/05/2011 18:37:01.126:119) : arch=x86_64 syscall=lsetxattr success=no exit=-22(Invalid argument) a0=b75d490 a1=7fe00be4e21b a2=b8ab2c0 a3=24 items=0 ppid=2090 pid=3366 auid=baumanmo uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=yum exe=/usr/bin/python subj=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(10/05/2011 18:37:01.126:119) : avc: denied { mac_admin } for pid=3366 comm=yum capability=mac_admin scontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=capability2 ---- type=SYSCALL msg=audit(10/05/2011 18:40:51.809:141) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=d a1=7fffb02284a3 a2=0 a3=7fffb0228160 items=0 ppid=1 pid=6077 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(10/05/2011 18:40:51.809:141) : avc: denied { unlink } for pid=6077 comm=systemd-logind name=user dev=tmpfs ino=26501 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=file ---- type=SYSCALL msg=audit(10/06/2011 08:38:28.003:134) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=c a1=7fff5783d373 a2=0 a3=0 items=0 ppid=1 pid=2084 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(10/06/2011 08:38:28.003:134) : avc: denied { unlink } for pid=2084 comm=systemd-logind name=user dev=tmpfs ino=23959 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:config_home_t:s0 tclass=file ---- type=SYSCALL msg=audit(10/06/2011 08:38:28.020:135) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=c a1=7fff5783d373 a2=0 a3=0 items=0 ppid=1 pid=2084 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(10/06/2011 08:38:28.020:135) : avc: denied { unlink } for pid=2084 comm=systemd-logind name=user dev=tmpfs ino=32382 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file ---- type=SYSCALL msg=audit(10/06/2011 09:12:20.844:95) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=d a1=7fff2202d053 a2=0 a3=0 items=0 ppid=1 pid=1199 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(10/06/2011 09:12:20.844:95) : avc: denied { unlink } for pid=1199 comm=systemd-logind name=user dev=tmpfs ino=27844 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file
Would it be possible to get people to post what rpm's they were updating/installing when this happened? It might help us track down the rpm and/or yum plugin that is broken.
Or if the AVC included the actual bad context that the tool tried to set, that would be helpful also...
My particular case seems to be with the grubby package on Fedora 16 Beta. However, rerunning the update seems to be enough to get it to behave.