Bug 729211 - SELinux is preventing /usr/bin/python from 'search' accesses on the directory /root/.local.
Summary: SELinux is preventing /usr/bin/python from 'search' accesses on the directory...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:4559236686f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-09 04:21 UTC by Nikita Bige
Modified: 2012-03-31 03:07 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.9.16-52.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-31 03:07:12 UTC


Attachments (Terms of Use)

Description Nikita Bige 2011-08-09 04:21:11 UTC
SELinux is preventing /usr/bin/python from 'search' accesses on the directory /root/.local.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed search access on the .local directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fail2ban_client_t:s0
Target Context                system_u:object_r:gconf_home_t:s0
Target Objects                /root/.local [ dir ]
Source                        fail2ban-client
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.1-7.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.x86_64 #1
                              SMP Fri Jul 29 18:46:53 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 08 Aug 2011 08:01:54 AM MSK
Last Seen                     Mon 08 Aug 2011 08:01:54 AM MSK
Local ID                      00826432-d37e-42c8-b57a-7af13f72cdd7

Raw Audit Messages
type=AVC msg=audit(1312779714.667:26): avc:  denied  { search } for  pid=1740 comm="fail2ban-client" name=".local" dev=dm-1 ino=670711 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1312779714.667:26): arch=x86_64 syscall=stat success=no exit=ENOENT a0=a349b0 a1=7ffffb0323d0 a2=7ffffb0323d0 a3=326e6f687479702f items=0 ppid=1733 pid=1740 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fail2ban-client exe=/usr/bin/python subj=system_u:system_r:fail2ban_client_t:s0 key=(null)

Hash: fail2ban-client,fail2ban_client_t,gconf_home_t,dir,search

audit2allow

#============= fail2ban_client_t ==============
allow fail2ban_client_t gconf_home_t:dir search;

audit2allow -R

#============= fail2ban_client_t ==============
allow fail2ban_client_t gconf_home_t:dir search;

Comment 1 Daniel Walsh 2011-11-21 16:47:11 UTC
Are you still seeing this?

Comment 2 JM 2012-01-31 02:08:57 UTC
I still see it on Fedora 16.

SELinux is preventing /usr/bin/python from search access on the None /root/.local.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed search access on the .local <Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fail2ban_client_t:s0
Target Context                system_u:object_r:gconf_home_t:s0
Target Objects                /root/.local [ None ]
Source                        fail2ban-client
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          foobar
Source RPM Packages           python-2.7.2-5.2.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-72.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     foobar
Platform                      Linux foobar
                             3.2.2-1.fc16.x86_64 #1 SMP Thu Jan 26 03:21:58 UTC
                             2012 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Jan 31 01:59:48 2012
Last Seen                     Tue Jan 31 01:59:48 2012
Local ID                      b60f6d0e-b7df-4940-b891-43c7a10eecc4

Raw Audit Messages
type=AVC msg=audit(1327971588.905:63): avc:  denied  { search } for  pid=1026 comm="fail2ban-client" name=".local" dev=vda2 ino=530160 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dirnode=foobar type=SYSCALL msg=audit(1327971588.905:63): arch=c000003e syscall=4 success=no exit=-2 a0=24f0cc0 a1=7ffff825ad40 a2=7ffff825ad40 a3=6b6361702d657469 items=0 ppid=1021 pid=1026 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-client" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_client_t:s0 key=(null)


Hash: fail2ban-client,fail2ban_client_t,gconf_home_t,None,search

audit2allow


audit2allow -R

Comment 3 Daniel Walsh 2012-01-31 19:58:57 UTC
I would prefer to see if you saw this bug in enforcing mode.

Comment 4 Daniel Walsh 2012-01-31 19:59:48 UTC
Added a dontaudit in Rawhide.

Comment 5 Fedora Update System 2012-03-13 09:17:39 UTC
selinux-policy-3.9.16-52.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-52.fc15

Comment 6 Fedora Update System 2012-03-21 02:30:39 UTC
Package selinux-policy-3.9.16-52.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-52.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-4286/selinux-policy-3.9.16-52.fc15
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-03-31 03:07:12 UTC
selinux-policy-3.9.16-52.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.