Bug 801608 - SELinux is preventing /usr/bin/python from 'getattr' accesses on the file /usr/bin/rpm.
SELinux is preventing /usr/bin/python from 'getattr' accesses on the file /us...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:1c3aabec7011ccd336dc37de862...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-08 18:55 EST by Barry Godusky
Modified: 2016-05-11 14:45 EDT (History)
36 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:42:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux Report (2.63 KB, application/octet-stream)
2012-06-05 23:14 EDT, Agustin Ferrario
no flags Details
SELinux - original action (2.57 KB, application/octet-stream)
2012-12-26 09:46 EST, Heldwin
no flags Details
SELinux - result action (2.52 KB, application/octet-stream)
2012-12-26 09:49 EST, Heldwin
no flags Details

  None (edit)
Description Barry Godusky 2012-03-08 18:55:15 EST
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc6.git0.2.fc17.x86_64
reason:         SELinux is preventing /usr/bin/python from 'getattr' accesses on the file /usr/bin/rpm.
time:           Thu 08 Mar 2012 06:55:05 PM EST

description:
:SELinux is preventing /usr/bin/python from 'getattr' accesses on the file /usr/bin/rpm.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that python should be allowed getattr access on the rpm file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sealert /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.
:                              c1023
:Target Context                system_u:object_r:rpm_exec_t:s0
:Target Objects                /usr/bin/rpm [ file ]
:Source                        sealert
:Source Path                   /usr/bin/python
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           python-2.7.2-18.fc17.x86_64
:Target RPM Packages           rpm-4.9.1.2-14.fc17.x86_64
:Policy RPM                    selinux-policy-3.10.0-95.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.3.0-0.rc6.git0.2.fc17.x86_64 #1 SMP Mon Mar 5
:                              16:54:07 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Thu 08 Mar 2012 06:54:07 PM EST
:Last Seen                     Thu 08 Mar 2012 06:54:07 PM EST
:Local ID                      c223b19b-7f6a-4490-9e3e-f411e01a38b4
:
:Raw Audit Messages
:type=AVC msg=audit(1331250847.653:75): avc:  denied  { getattr } for  pid=1577 comm="sealert" path="/usr/bin/rpm" dev="dm-1" ino=656843 scontext=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1331250847.653:75): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff5594ce30 a1=7fff5594ac30 a2=7fff5594ac30 a3=fffff000 items=0 ppid=1576 pid=1577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sealert exe=/usr/bin/python subj=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 key=(null)
:
:Hash: sealert,setroubleshoot_fixit_t,rpm_exec_t,file,getattr
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-03-09 09:50:24 EST
Barry what were you trying to fix?
Comment 2 Miroslav Grepl 2012-03-09 09:59:51 EST
Now I see this also .. you can just try to fix a label and it happens. Nothing is blocked.
Comment 3 Daniel Walsh 2012-03-09 10:07:40 EST
Lets add a dontaudit.
Comment 4 Barry Godusky 2012-03-09 11:28:00 EST
(In reply to comment #1)
> Barry what were you trying to fix?

I was trying to do the the grep thing and the subsequent command to enforce it but nothing was taking affect. Even rebooting the machine didn't force it to be allowed.

This happened on many of the sealalerts I recieved that I ran the commands to allow it to do what it wanted to do. Reboot the machine and all the alerts came right back like the suggestions in the alert didn't take effect even though I ran both commands.
Comment 5 Barry Godusky 2012-03-09 11:30:02 EST
Right now I have the same alerts once again of two alerts that I have already submitted and used the suggested commands and again they do not take affect.
Comment 6 Daniel Walsh 2012-03-09 11:33:22 EST
Could you show us the original alert that you attempted to fix?  

IE Show us both alerts.
Comment 7 Agustin Ferrario 2012-06-05 23:14:50 EDT
Created attachment 589700 [details]
SELinux Report

Here is my report, i have no custom policies
Comment 8 Daniel Walsh 2012-06-07 14:01:25 EDT
Did you click fix it button on a previous alert?
Comment 9 Georg Greve 2012-09-30 08:23:48 EDT
Happens during bootup, typically.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 10 Daniel Walsh 2012-10-01 06:18:14 EDT
Not sure what you mean?  Could you attach your AVC messages?
Comment 11 Mengxuan Xia 2012-10-03 09:42:30 EDT
I'm seeing this everytime after logging in to my session. Is there any fix ?
Comment 12 vafr 2012-10-03 14:31:38 EDT
Running VMWare kernel update script

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 13 Miroslav Grepl 2012-10-05 08:13:25 EDT
Are you getting the same AVC msg?
Comment 14 vafr 2012-10-07 03:49:38 EDT
I am afraid I cannot reproduce the exact same problem. Stopped using VMPlayer, moved on to Virtualbox, and checking out Qemu now. Running the VMPlayer update script now results in....

SELinux is preventing /usr/bin/vmnet-natd from module_request access on the system .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that vmnet-natd should be allowed module_request access on the  system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vmnet-natd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:vmware_host_t:s0-s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                 [ system ]
Source                        vmnet-natd
Source Path                   /usr/bin/vmnet-natd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.5.4-2.fc17.x86_64 #1
                              SMP Wed Sep 26 21:58:50 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-10-07 09:43:04 CEST
Last Seen                     2012-10-07 09:43:04 CEST
Local ID                      fae98600-2800-4d5d-8603-2d2309b34d74

Raw Audit Messages
type=AVC msg=audit(1349595784.226:90): avc:  denied  { module_request } for  pid=1311 comm="vmnet-natd" kmod="netdev-vmnet1" scontext=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1349595784.226:90): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=6 a1=8927 a2=7fff94f76040 a3=0 items=0 ppid=1 pid=1311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=vmnet-natd exe=/usr/bin/vmnet-natd subj=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 key=(null)

Hash: vmnet-natd,vmware_host_t,kernel_t,system,module_request

audit2allow

#============= vmware_host_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'

allow vmware_host_t kernel_t:system module_request;

audit2allow -R

#============= vmware_host_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'

allow vmware_host_t kernel_t:system module_request;
Comment 15 Miroslav Grepl 2012-10-08 04:57:49 EDT
Added.

commit 101178abf1efdde84b8556381c858dccae44b14e
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Oct 8 10:57:29 2012 +0200

    Allow vmnet-natd to request the kernel to load a module
Comment 16 Fedora Update System 2012-10-08 10:05:07 EDT
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Comment 17 Fedora Update System 2012-10-08 17:56:13 EDT
Package selinux-policy-3.10.0-153.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17
then log in and leave karma (feedback).
Comment 18 Mengxuan Xia 2012-10-09 10:50:47 EDT
I've noticed that by relabelling the entire system the problem disappear without updating to selinux-policy-3.10.0-153. I have selinux-policy-3.10.0-149 installed. 

1. The problem was present before I migrate /home to a luks mapped encrypted partition. 
2. I migrated /home to luks and I started getting some unusual selinux warnings. So I did touch /.autorelabel && reboot
3. After reboot, this problem disappear (I also tried to reboot 2 more times and it seem to fix it without updating to the newer update.
Comment 19 Mike 2012-10-14 17:58:13 EDT
I was trying to open the flight simulator "Thunder and Lightening". It simply did not open, and an SELinux bug was reported.

Package: (null)
Architecture: i686
OS Release: Fedora release 17 (Beefy Miracle)
Comment 20 Renich Bon Ciric 2012-10-19 10:52:24 EDT
Was starting a VPN connection. The connection took place but I still got 2 SELinux warnings. The other one is for xauth and it tells me to relabel /root

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 21 tavash 2012-11-08 07:00:41 EST
This was while a try to connect to vsFTP server localy. Like this:
ftp ftp@192.168.0.1:54321


Package: (null)
Architecture: i686
OS Release: Fedora release 17 (Beefy Miracle)
Comment 22 Daniel Walsh 2012-11-08 10:03:41 EST
Tavash what were the AVC's that you saw?

And why are you adding on to this AVC?
Comment 23 Fedora Update System 2012-12-20 10:42:54 EST
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Heldwin 2012-12-25 21:46:29 EST
While asking SELinux Explorer to fix a problem for me (about /usb/bin/df doing a getattr on /sys/kernel/config), I also got this SElinux message.

Source Context                system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023
Target Context                system_u:object_r:rpm_exec_t:s0
Target Objects                /usr/bin/rpm [ file ]
Source                        sealert
Source Path                   /usr/bin/python2.7
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           python-2.7.3-7.2.fc17.x86_64
Target RPM Packages           rpm-4.9.1.3-7.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Comment 25 Daniel Walsh 2012-12-26 07:28:34 EST
Could you attach the AVC information.
Comment 26 Heldwin 2012-12-26 09:46:56 EST
Created attachment 669244 [details]
SELinux - original action

Added the orignal SELinux report about df
Comment 27 Heldwin 2012-12-26 09:49:55 EST
Created attachment 669245 [details]
SELinux - result action

added the SElinux report I got after I clicked on restore context button in troubleshoot
Comment 29 Miroslav Grepl 2012-12-27 13:43:08 EST
Backported from F18.

Note You need to log in before you can comment on or make changes to this bug.