Bug 814388 - SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities.
Summary: SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabi...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:9150409d2bed387e6de07c695bc...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-19 18:33 UTC by cblaauw
Modified: 2012-04-20 13:56 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-04-20 13:56:05 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description cblaauw 2012-04-19 18:33:32 UTC
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.2-1.fc17.x86_64
time:           Do 19 Apr 2012 20:33:10 CEST

description:
:SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities.
:
:*****  Plugin dac_override (91.4 confidence) suggests  ***********************
:
:If sie überprüfen wollen, ob Domäne diesen Zugriff benötigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben
:Then aktivieren Sie die vollständige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut.
:Do
:
:Volle Audit-Funktion aktivieren
:# auditctl -w /etc/shadow -p w
:Versuchen Sie AVC zu reproduzieren. Führen Sie dann folgendes aus
:# ausearch -m avc -ts recent
:Falls PATH record ersichtlich ist, überprüfen Sie Eigentümer/ Berechtigungen der Datei und korrigieren Sie dies,
:anderenfalls melden Sie dies an Bugzilla.
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If sie denken, dass python2.7 standardmäßig dac_override Berechtigung haben sollten.
:Then sie sollten dies als Fehler melden.
:Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
:Do
:zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
:# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:firewalld_t:s0
:Target Context                system_u:system_r:firewalld_t:s0
:Target Objects                 [ capability ]
:Source                        firewalld
:Source Path                   /usr/bin/python2.7
:Port                          <Unbekannt>
:Host                          (removed)
:Source RPM Packages           python-2.7.3-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-116.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.2-1.fc17.x86_64 #1 SMP Fri Apr 13
:                              20:23:49 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Do 19 Apr 2012 20:32:18 CEST
:Last Seen                     Do 19 Apr 2012 20:32:18 CEST
:Local ID                      2b7e74e0-04d1-4d5c-86b6-d2946e298b55
:
:Raw Audit Messages
:type=AVC msg=audit(1334860338.796:159): avc:  denied  { dac_override } for  pid=6555 comm="firewalld" capability=1  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
:
:
:type=SYSCALL msg=audit(1334860338.796:159): arch=x86_64 syscall=stat success=no exit=ENOENT a0=b18ae0 a1=7ffff70c9e60 a2=7ffff70c9e60 a3=326e6f687479702f items=0 ppid=1 pid=6555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=firewalld exe=/usr/bin/python2.7 subj=system_u:system_r:firewalld_t:s0 key=(null)
:
:Hash: firewalld,firewalld_t,firewalld_t,capability,dac_override
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Daniel Walsh 2012-04-19 19:10:44 UTC
dac_override means you have a file that is not able to be used by the root user based on DAC controls.

In order to find the path that firewalld is not able to access we need to turn on full auditing

# auditctl -w /etc/shadow

Should turn it on.

Now can you get the error to happen again and run

ausearch -m avc -ts recent

Comment 2 cblaauw 2012-04-19 20:34:21 UTC
[root@m7 ~]# auditctl -w /etc/shadow
[root@m7 ~]# systemctl restart firewalld.service
[root@m7 ~]# ausearch -m avc -ts recent
----
time->Thu Apr 19 22:32:58 2012
type=PATH msg=audit(1334867578.074:712): item=0 name="/root/.local/lib/python2.7/site-packages"
type=CWD msg=audit(1334867578.074:712):  cwd="/"
type=SYSCALL msg=audit(1334867578.074:712): arch=c000003e syscall=4 success=no exit=-13 a0=1811ae0 a1=7fff8b0e6ad0 a2=7fff8b0e6ad0 a3=326e6f687479702f items=1 ppid=1 pid=6907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="firewalld" exe="/usr/bin/python2.7" subj=system_u:system_r:firewalld_t:s0 key=(null)
type=AVC msg=audit(1334867578.074:712): avc:  denied  { dac_read_search } for  pid=6907 comm="firewalld" capability=2  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
type=AVC msg=audit(1334867578.074:712): avc:  denied  { dac_override } for  pid=6907 comm="firewalld" capability=1  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
[

Comment 3 Daniel Walsh 2012-04-20 13:56:05 UTC
cblaauw 

This indicates you have a directrory in /root that python commands are trying to use that is not owned by root.  Most likely you want to remove this directory,

rm -rf /root.local/lib/python.2.7

Or if there is actually something you want to keep in there.

chown -R root:root /root/.local


Note You need to log in before you can comment on or make changes to this bug.