Bug 814388 - SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities.
SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabi...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:9150409d2bed387e6de07c695bc...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-19 14:33 EDT by cblaauw
Modified: 2012-04-20 09:56 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-20 09:56:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description cblaauw 2012-04-19 14:33:32 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.2-1.fc17.x86_64
time:           Do 19 Apr 2012 20:33:10 CEST

description:
:SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities.
:
:*****  Plugin dac_override (91.4 confidence) suggests  ***********************
:
:If sie überprüfen wollen, ob Domäne diesen Zugriff benötigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben
:Then aktivieren Sie die vollständige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut.
:Do
:
:Volle Audit-Funktion aktivieren
:# auditctl -w /etc/shadow -p w
:Versuchen Sie AVC zu reproduzieren. Führen Sie dann folgendes aus
:# ausearch -m avc -ts recent
:Falls PATH record ersichtlich ist, überprüfen Sie Eigentümer/ Berechtigungen der Datei und korrigieren Sie dies,
:anderenfalls melden Sie dies an Bugzilla.
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If sie denken, dass python2.7 standardmäßig dac_override Berechtigung haben sollten.
:Then sie sollten dies als Fehler melden.
:Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
:Do
:zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
:# grep firewalld /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:firewalld_t:s0
:Target Context                system_u:system_r:firewalld_t:s0
:Target Objects                 [ capability ]
:Source                        firewalld
:Source Path                   /usr/bin/python2.7
:Port                          <Unbekannt>
:Host                          (removed)
:Source RPM Packages           python-2.7.3-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-116.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.2-1.fc17.x86_64 #1 SMP Fri Apr 13
:                              20:23:49 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Do 19 Apr 2012 20:32:18 CEST
:Last Seen                     Do 19 Apr 2012 20:32:18 CEST
:Local ID                      2b7e74e0-04d1-4d5c-86b6-d2946e298b55
:
:Raw Audit Messages
:type=AVC msg=audit(1334860338.796:159): avc:  denied  { dac_override } for  pid=6555 comm="firewalld" capability=1  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
:
:
:type=SYSCALL msg=audit(1334860338.796:159): arch=x86_64 syscall=stat success=no exit=ENOENT a0=b18ae0 a1=7ffff70c9e60 a2=7ffff70c9e60 a3=326e6f687479702f items=0 ppid=1 pid=6555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=firewalld exe=/usr/bin/python2.7 subj=system_u:system_r:firewalld_t:s0 key=(null)
:
:Hash: firewalld,firewalld_t,firewalld_t,capability,dac_override
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-04-19 15:10:44 EDT
dac_override means you have a file that is not able to be used by the root user based on DAC controls.

In order to find the path that firewalld is not able to access we need to turn on full auditing

# auditctl -w /etc/shadow

Should turn it on.

Now can you get the error to happen again and run

ausearch -m avc -ts recent
Comment 2 cblaauw 2012-04-19 16:34:21 EDT
[root@m7 ~]# auditctl -w /etc/shadow
[root@m7 ~]# systemctl restart firewalld.service
[root@m7 ~]# ausearch -m avc -ts recent
----
time->Thu Apr 19 22:32:58 2012
type=PATH msg=audit(1334867578.074:712): item=0 name="/root/.local/lib/python2.7/site-packages"
type=CWD msg=audit(1334867578.074:712):  cwd="/"
type=SYSCALL msg=audit(1334867578.074:712): arch=c000003e syscall=4 success=no exit=-13 a0=1811ae0 a1=7fff8b0e6ad0 a2=7fff8b0e6ad0 a3=326e6f687479702f items=1 ppid=1 pid=6907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="firewalld" exe="/usr/bin/python2.7" subj=system_u:system_r:firewalld_t:s0 key=(null)
type=AVC msg=audit(1334867578.074:712): avc:  denied  { dac_read_search } for  pid=6907 comm="firewalld" capability=2  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
type=AVC msg=audit(1334867578.074:712): avc:  denied  { dac_override } for  pid=6907 comm="firewalld" capability=1  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability
[
Comment 3 Daniel Walsh 2012-04-20 09:56:05 EDT
cblaauw 

This indicates you have a directrory in /root that python commands are trying to use that is not owned by root.  Most likely you want to remove this directory,

rm -rf /root.local/lib/python.2.7

Or if there is actually something you want to keep in there.

chown -R root:root /root/.local

Note You need to log in before you can comment on or make changes to this bug.