libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.0-0.rc6.git0.2.fc17.x86_64 reason: SELinux is preventing /usr/bin/python from 'getattr' accesses on the file /usr/bin/rpm. time: Thu 08 Mar 2012 06:55:05 PM EST description: :SELinux is preventing /usr/bin/python from 'getattr' accesses on the file /usr/bin/rpm. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that python should be allowed getattr access on the rpm file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep sealert /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0. : c1023 :Target Context system_u:object_r:rpm_exec_t:s0 :Target Objects /usr/bin/rpm [ file ] :Source sealert :Source Path /usr/bin/python :Port <Unknown> :Host (removed) :Source RPM Packages python-2.7.2-18.fc17.x86_64 :Target RPM Packages rpm-4.9.1.2-14.fc17.x86_64 :Policy RPM selinux-policy-3.10.0-95.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.3.0-0.rc6.git0.2.fc17.x86_64 #1 SMP Mon Mar 5 : 16:54:07 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Thu 08 Mar 2012 06:54:07 PM EST :Last Seen Thu 08 Mar 2012 06:54:07 PM EST :Local ID c223b19b-7f6a-4490-9e3e-f411e01a38b4 : :Raw Audit Messages :type=AVC msg=audit(1331250847.653:75): avc: denied { getattr } for pid=1577 comm="sealert" path="/usr/bin/rpm" dev="dm-1" ino=656843 scontext=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file : : :type=SYSCALL msg=audit(1331250847.653:75): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff5594ce30 a1=7fff5594ac30 a2=7fff5594ac30 a3=fffff000 items=0 ppid=1576 pid=1577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sealert exe=/usr/bin/python subj=system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 key=(null) : :Hash: sealert,setroubleshoot_fixit_t,rpm_exec_t,file,getattr : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Barry what were you trying to fix?
Now I see this also .. you can just try to fix a label and it happens. Nothing is blocked.
Lets add a dontaudit.
(In reply to comment #1) > Barry what were you trying to fix? I was trying to do the the grep thing and the subsequent command to enforce it but nothing was taking affect. Even rebooting the machine didn't force it to be allowed. This happened on many of the sealalerts I recieved that I ran the commands to allow it to do what it wanted to do. Reboot the machine and all the alerts came right back like the suggestions in the alert didn't take effect even though I ran both commands.
Right now I have the same alerts once again of two alerts that I have already submitted and used the suggested commands and again they do not take affect.
Could you show us the original alert that you attempted to fix? IE Show us both alerts.
Created attachment 589700 [details] SELinux Report Here is my report, i have no custom policies
Did you click fix it button on a previous alert?
Happens during bootup, typically. Package: (null) OS Release: Fedora release 17 (Beefy Miracle)
Not sure what you mean? Could you attach your AVC messages?
I'm seeing this everytime after logging in to my session. Is there any fix ?
Running VMWare kernel update script Package: (null) OS Release: Fedora release 17 (Beefy Miracle)
Are you getting the same AVC msg?
I am afraid I cannot reproduce the exact same problem. Stopped using VMPlayer, moved on to Virtualbox, and checking out Qemu now. Running the VMPlayer update script now results in.... SELinux is preventing /usr/bin/vmnet-natd from module_request access on the system . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that vmnet-natd should be allowed module_request access on the system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep vmnet-natd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:vmware_host_t:s0-s0:c0.c1023 Target Context system_u:system_r:kernel_t:s0 Target Objects [ system ] Source vmnet-natd Source Path /usr/bin/vmnet-natd Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.5.4-2.fc17.x86_64 #1 SMP Wed Sep 26 21:58:50 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-10-07 09:43:04 CEST Last Seen 2012-10-07 09:43:04 CEST Local ID fae98600-2800-4d5d-8603-2d2309b34d74 Raw Audit Messages type=AVC msg=audit(1349595784.226:90): avc: denied { module_request } for pid=1311 comm="vmnet-natd" kmod="netdev-vmnet1" scontext=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1349595784.226:90): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=6 a1=8927 a2=7fff94f76040 a3=0 items=0 ppid=1 pid=1311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=vmnet-natd exe=/usr/bin/vmnet-natd subj=system_u:system_r:vmware_host_t:s0-s0:c0.c1023 key=(null) Hash: vmnet-natd,vmware_host_t,kernel_t,system,module_request audit2allow #============= vmware_host_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow vmware_host_t kernel_t:system module_request; audit2allow -R #============= vmware_host_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow vmware_host_t kernel_t:system module_request;
Added. commit 101178abf1efdde84b8556381c858dccae44b14e Author: Miroslav Grepl <mgrepl> Date: Mon Oct 8 10:57:29 2012 +0200 Allow vmnet-natd to request the kernel to load a module
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Package selinux-policy-3.10.0-153.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17 then log in and leave karma (feedback).
I've noticed that by relabelling the entire system the problem disappear without updating to selinux-policy-3.10.0-153. I have selinux-policy-3.10.0-149 installed. 1. The problem was present before I migrate /home to a luks mapped encrypted partition. 2. I migrated /home to luks and I started getting some unusual selinux warnings. So I did touch /.autorelabel && reboot 3. After reboot, this problem disappear (I also tried to reboot 2 more times and it seem to fix it without updating to the newer update.
I was trying to open the flight simulator "Thunder and Lightening". It simply did not open, and an SELinux bug was reported. Package: (null) Architecture: i686 OS Release: Fedora release 17 (Beefy Miracle)
Was starting a VPN connection. The connection took place but I still got 2 SELinux warnings. The other one is for xauth and it tells me to relabel /root Package: (null) OS Release: Fedora release 17 (Beefy Miracle)
This was while a try to connect to vsFTP server localy. Like this: ftp ftp.0.1:54321 Package: (null) Architecture: i686 OS Release: Fedora release 17 (Beefy Miracle)
Tavash what were the AVC's that you saw? And why are you adding on to this AVC?
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
While asking SELinux Explorer to fix a problem for me (about /usb/bin/df doing a getattr on /sys/kernel/config), I also got this SElinux message. Source Context system_u:system_r:setroubleshoot_fixit_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_exec_t:s0 Target Objects /usr/bin/rpm [ file ] Source sealert Source Path /usr/bin/python2.7 Port <Inconnu> Host (removed) Source RPM Packages python-2.7.3-7.2.fc17.x86_64 Target RPM Packages rpm-4.9.1.3-7.fc17.x86_64 Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing
Could you attach the AVC information.
Created attachment 669244 [details] SELinux - original action Added the orignal SELinux report about df
Created attachment 669245 [details] SELinux - result action added the SElinux report I got after I clicked on restore context button in troubleshoot
Backported from F18.