723788 – SELinux is preventing /usr/bin/perl from using the 'signal' accesses on a process.

Bug 723788 - SELinux is preventing /usr/bin/perl from using the 'signal' accesses on a process.

Summary: SELinux is preventing /usr/bin/perl from using the 'signal' accesses on a pro...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:ec34f845198...
Depends On:	703010
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-21 07:02 UTC by Miroslav Grepl
Modified:	2011-08-12 18:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.9.7-44.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:	703010
Environment:
Last Closed:	2011-08-12 11:02:01 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miroslav Grepl 2011-07-21 07:02:09 UTC

+++ This bug was initially created as a clone of Bug #703010 +++

SELinux is preventing /usr/bin/perl from using the 'signal' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed signal access on processes labeled psad_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep psad /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:psad_t:s0-s0:c0.c1023
Target Context                system_u:system_r:psad_t:s0
Target Objects                Unknown [ process ]
Source                        psad
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.12.3-157.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-21.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.5-22.fc15.x86_64 #1 SMP Mon
                              May 2 19:28:55 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 08 May 2011 08:12:09 PM EDT
Last Seen                     Sun 08 May 2011 08:12:09 PM EDT
Local ID                      e3e00949-c348-4693-b2e9-f20a6d4ea40a

Raw Audit Messages
type=AVC msg=audit(1304899929.242:307): avc:  denied  { signal } for  pid=9651 comm="psad" scontext=system_u:system_r:psad_t:s0-s0:c0.c1023 tcontext=system_u:system_r:psad_t:s0 tclass=process


type=SYSCALL msg=audit(1304899929.242:307): arch=x86_64 syscall=kill success=no exit=EACCES a0=c07 a1=1 a2=1202220 a3=3a86d2b490 items=0 ppid=9491 pid=9651 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm=psad exe=/usr/bin/perl subj=system_u:system_r:psad_t:s0-s0:c0.c1023 key=(null)

Hash: psad,psad_t,psad_t,process,signal

audit2allow

#============= psad_t ==============
allow psad_t self:process signal;

audit2allow -R

#============= psad_t ==============
allow psad_t self:process signal;

--- Additional comment from mgrepl on 2011-05-09 10:29:42 EDT ---

Fixed in selinux-policy-3.9.16-24.fc15

--- Additional comment from mrmoosetrain on 2011-07-19 19:33:01 EDT ---

(In reply to comment #1)
> Fixed in selinux-policy-3.9.16-24.fc15

I am using Fc14 and will not upgrade to FC15 just now are there a fix for fc14.

Comment 1 Daniel Walsh 2011-07-21 13:16:59 UTC

Just add

allow psad_t self:process signal_perms;

Comment 2 Miroslav Grepl 2011-07-25 11:29:11 UTC

Fixed in selinux-policy-3.9.7-44.fc14

Comment 3 Fedora Update System 2011-08-04 13:58:51 UTC

selinux-policy-3.9.7-44.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-44.fc14

Comment 4 Fedora Update System 2011-08-05 03:53:59 UTC

Package selinux-policy-3.9.7-44.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-44.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-44.fc14
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-08-12 11:01:00 UTC

selinux-policy-3.9.7-44.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2011-08-12 18:25:25 UTC

selinux-policy-3.9.7-44.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.