Hide Forgot
SELinux is preventing /usr/bin/python from 'write' accesses on the directory /home/vondruch/fedora-scm/rubygem-fssm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed write access on the rubygem-fssm directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mock /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/vondruch/fedora-scm/rubygem-fssm [ dir ] Source mock Source Path /usr/bin/python Port <Neznámé> Host (removed) Source RPM Packages python-2.7.1-6.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-10.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Út 5. duben 2011, 11:03:40 CEST Last Seen Út 5. duben 2011, 11:03:40 CEST Local ID bc34041b-1c5b-4c28-a46f-98c8c839842a Raw Audit Messages type=AVC msg=audit(1301994220.286:406): avc: denied { write } for pid=28084 comm="mock" name="rubygem-fssm" dev=dm-6 ino=198171 scontext=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=AVC msg=audit(1301994220.286:406): avc: denied { add_name } for pid=28084 comm="mock" name="rubygem-fssm" scontext=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=AVC msg=audit(1301994220.286:406): avc: denied { create } for pid=28084 comm="mock" name="rubygem-fssm" scontext=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=SYSCALL msg=audit(1301994220.286:406): arch=x86_64 syscall=mkdir success=yes exit=0 a0=13f6d20 a1=1ff a2=3d8c1b7848 a3=3d8bf3fdc0 items=0 ppid=28083 pid=28084 auid=500 uid=500 gid=500 euid=500 suid=0 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm=mock exe=/usr/bin/python subj=unconfined_u:unconfined_r:mock_t:s0-s0:c0.c1023 key=(null) Hash: mock,mock_t,user_home_t,dir,write audit2allow #============= mock_t ============== #!!!! The source type 'mock_t' can write to a 'dir' of the following types: # mock_var_lib_t, mock_tmp_t, cgroup_t, mock_cache_t allow mock_t user_home_t:dir { write create add_name }; audit2allow -R #============= mock_t ============== #!!!! The source type 'mock_t' can write to a 'dir' of the following types: # mock_var_lib_t, mock_tmp_t, cgroup_t, mock_cache_t allow mock_t user_home_t:dir { write create add_name };
This AVC can be reproduced by following steps: 1. fedpkg clone rubygem-fssm 2. fedpkg mockbuild
I thought it should use /var/lib/mock.
(In reply to comment #2) > I thought it should use /var/lib/mock. If you are using "mock your.src.rpm" then yes, but "fedpkg mockbuild" builds in current directory. Now I see I missed one step: "1.5 cd rubygem-fssm"
Miroslav lets take a way mock_role(unconfined_r, unconfined_t) For F15 and move it into F16, then in F16 we can work with fedpkg to setup proper labeling. I guess we would want it to label the newly created directory the same way as /var/lib/mock. Or we create a new type mock_home_t.
*** Bug 693765 has been marked as a duplicate of this bug. ***