Bug 693461 - SELinux is preventing /usr/bin/python from 'read' accesses on the fichier apanov-heuristica-fonts-0.4-1.f14.src.rpm.
Summary: SELinux is preventing /usr/bin/python from 'read' accesses on the fichier apa...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:521bc49de43...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-04 18:16 UTC by Nicolas Mailhot
Modified: 2011-11-23 22:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-23 22:47:49 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Mailhot 2011-04-04 18:16:11 UTC 
SELinux is preventing /usr/bin/python from 'read' accesses on the fichier apanov-heuristica-fonts-0.4-1.f14.src.rpm.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If vous souhaitez autoriser python à accéder à read sur apanov-heuristica-fonts-0.4-1.f14.src.rpm file
Then you need to change the label on apanov-heuristica-fonts-0.4-1.f14.src.rpm
Do
# semanage fcontext -a -t FILE_TYPE 'apanov-heuristica-fonts-0.4-1.f14.src.rpm'
where FILE_TYPE is one of the following: proc_net_t, samba_var_t, abrt_var_run_t, mock_var_lib_t, rpm_var_lib_t, net_conf_t, httpd_sys_rw_content_t, init_exec_t, mock_exec_t, sysctl_crypto_t, sysctl_kernel_t, mock_tmp_t, abrt_t, lib_t, afs_cache_t, abrt_helper_exec_t, bin_t, cert_t, ld_so_t, user_cron_spool_t, usr_t, textrel_shlib_t, sssd_public_t, locale_t, etc_t, mock_t, proc_t, sysfs_t, rpm_script_tmp_t, ldconfig_exec_t, krb5_conf_t, rpm_exec_t, security_t, mock_cache_t, mount_exec_t, shell_exec_t, ld_so_cache_t, sysctl_irq_t, fusermount_exec_t, domain, net_conf_t, cert_t, user_home_t. 
Then execute: 
restorecon -v 'apanov-heuristica-fonts-0.4-1.f14.src.rpm'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that python should be allowed read access on the apanov-heuristica-fonts-0.4-1.f14.src.rpm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                apanov-heuristica-fonts-0.4-1.f14.src.rpm [ file ]
Source                        mock
Source Path                   /usr/bin/python
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           python-2.7.1-6.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-10.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.39-0.rc1.git1.0.fc16.x86_64 #1
                              SMP Thu Mar 31 21:15:45 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    lun. 04 avril 2011 20:14:32 CEST
Last Seen                     lun. 04 avril 2011 20:14:32 CEST
Local ID                      2b345d86-d0fb-407f-9736-ab997f08d77c

Raw Audit Messages
type=AVC msg=audit(1301940872.739:18793): avc:  denied  { read } for  pid=11936 comm="mock" name="apanov-heuristica-fonts-0.4-1.f14.src.rpm" dev=dm-1 ino=262265 scontext=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file


type=AVC msg=audit(1301940872.739:18793): avc:  denied  { open } for  pid=11936 comm="mock" name="apanov-heuristica-fonts-0.4-1.f14.src.rpm" dev=dm-1 ino=262265 scontext=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1301940872.739:18793): arch=x86_64 syscall=open success=yes exit=EIO a0=2228e90 a1=0 a2=1ff a3=2d73746e6f662d61 items=0 ppid=3939 pid=11936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=415 comm=mock exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 key=(null)

Hash: mock,mock_t,var_lib_t,file,read

audit2allow

#============= mock_t ==============
allow mock_t var_lib_t:file { read open };

audit2allow -R

#============= mock_t ==============
allow mock_t var_lib_t:file { read open };
Comment 1 Daniel Walsh 2011-04-04 19:21:50 UTC 
What directory is apanov-heuristica-fonts-0.4-1.f14.src.rpm in?


/var/lib/mock	
Should be labeled

system_u:object_r:mock_var_lib_t:s0
Comment 2 Nicolas Mailhot 2011-04-04 20:35:09 UTC 
It's under /var/lib/mock-builder (the utility user I use to prepare rpms I feed to mock)
Comment 3 Daniel Walsh 2011-04-04 20:43:44 UTC 
Is that a standard directory?

If you label it mock_var_lib_t it should all work.


# semanage fcontext -a -t mock_var_lib_t '/var/lib/mock-builder(/.*)?'
# restorecon -R -v /var/lib/mock-builder
Comment 4 Nicolas Mailhot 2011-04-04 21:08:00 UTC 
No, there are no specific conventions for mock builder home (I don't want it under /home because I consider /home is for human users, and the builder is a utility user)

mock setup is described on
http://fedoraproject.org/wiki/Projects/Mock#Setup

Please document the new selinux magic here at least (maybe in the man page too)
Note You need to log in before you can comment on or make changes to this bug.