Bug 808815 - SELinux is preventing /usr/bin/python from getattr access on the filesystem /
Summary: SELinux is preventing /usr/bin/python from getattr access on the filesystem /
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 1.7
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space18
TreeView+ depends on / blocked
 
Reported: 2012-04-01 07:56 UTC by Alexander Murashkin
Modified: 2012-11-01 16:23 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-05 14:40:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Alexander Murashkin 2012-04-01 07:56:45 UTC 
Description of problem:

SELinux is preventing /usr/bin/python from getattr access on the filesystem /.

Note that I installed SpaceWalk recently. I have not done any customization.

Version-Release number of selected component (if applicable):

osa-dispatcher-5.10.34-1.fc16.noarch
osa-dispatcher-selinux-5.10.34-1.fc16.noarch

Additional info:

# sealert -l bef4a1f0-337f-44ce-b38f-d704085d04a3
SELinux is preventing /usr/bin/python from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep osa-dispatcher /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:osa_dispatcher_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        osa-dispatcher
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          server
Source RPM Packages           python-2.7.2-5.2.fc16.x86_64
Target RPM Packages           filesystem-2.4.44-1.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server
Platform                      Linux server 3.3.0-4.fc16.x86_64
                              #1 SMP Tue Mar 20 18:05:40 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 01 Apr 2012 02:25:31 AM CDT
Last Seen                     Sun 01 Apr 2012 02:25:31 AM CDT
Local ID                      bef4a1f0-337f-44ce-b38f-d704085d04a3

Raw Audit Messages
type=AVC msg=audit(1333265131.163:124): avc:  denied  { getattr } for  pid=3407 comm="osa-dispatcher" name="/" dev="dm-3" ino=2 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem


type=SYSCALL msg=audit(1333265131.163:124): arch=x86_64 syscall=statfs success=no exit=EACCES a0=27de300 a1=7fff0d5e0e58 a2=3c00db1700 a3=2 items=0 ppid=3406 pid=3407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=osa-dispatcher exe=/usr/bin/python subj=system_u:system_r:osa_dispatcher_t:s0 key=(null)

Hash: osa-dispatcher,osa_dispatcher_t,fs_t,filesystem,getattr

audit2allow

#============= osa_dispatcher_t ==============
allow osa_dispatcher_t fs_t:filesystem getattr;

audit2allow -R

#============= osa_dispatcher_t ==============
allow osa_dispatcher_t fs_t:filesystem getattr;
Comment 1 Jan Pazdziora 2012-04-05 14:40:52 UTC 
On normal Fedora 16, the root directory has type root_t, not fs_t:

  # ls -ldZ /
  dr-xr-xr-x. root root system_u:object_r:root_t:s0      /

I suggest you

  # touch /.autorelabel 
  # reboot

to get your filesystem properly relabelled.

Or in general, please investigate why your root has this unexpected label.
Note You need to log in before you can comment on or make changes to this bug.