This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 825775 - SELinux is preventing /usr/bin/python2.7 from write access on the directory /
SELinux is preventing /usr/bin/python2.7 from write access on the directory /
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
16
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Michael Young
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-28 08:33 EDT by Peter H. Jones
Modified: 2013-02-11 16:42 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-11 16:42:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Peter H. Jones 2012-05-28 08:33:51 EDT
Description of problem:


Version-Release number of selected component (if applicable):
filesystem-2.4.44-1.fc16.x86_64

How reproducible:
Selinux alert appears without other symptoms.

Steps to Reproduce:
Unknown

  
Actual results:
Selinux alerts

Expected results:
No alerts

Additional info
Attempting to automaticallreport to Bugzilla gave:

"--- Running report_Bugzilla ---
Logging into Bugzilla at https://bugzilla.redhat.com
Checking for duplicates
fatal: XML-RPC(0): (null)
(exited with 1)
" .

SETroubleshoot Details Windows contains:
"SELinux is preventing /usr/bin/python2.7 from write access on the directory /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python2.7 should be allowed write access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virsh_t:s0
Target Context                system_u:object_r:root_t:s0
Target Objects                / [ dir ]
Source                        xm
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          toshlocalhost.localdomain
Source RPM Packages           python-2.7.3-1.fc16.x86_64
Target RPM Packages           filesystem-2.4.44-1.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-86.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     toshlocalhost.localdomain
Platform                      Linux toshlocalhost.localdomain
                              3.3.7-1.fc16.x86_64 #1 SMP Tue May 22 13:59:39 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 28 May 2012 08:14:49 AM EDT
Last Seen                     Mon 28 May 2012 08:14:49 AM EDT
Local ID                      6a49a0fd-c78e-47b8-8abd-e6c3dde3cd73

Raw Audit Messages
type=AVC msg=audit(1338207289.817:54): avc:  denied  { write } for  pid=969 comm="xm" name="/" dev="sda9" ino=2 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir


type=SYSCALL msg=audit(1338207289.817:54): arch=x86_64 syscall=open success=no exit=EACCES a0=14ecef0 a1=200c2 a2=180 a3=20 items=0 ppid=964 pid=969 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xm exe=/usr/bin/python2.7 subj=system_u:system_r:virsh_t:s0 key=(null)

Hash: xm,virsh_t,root_t,dir,write

audit2allow

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# xend_var_lib_t, virt_etc_t, xenfs_t, virt_etc_rw_t, virt_image_type, ssh_home_t

allow virsh_t root_t:dir write;

audit2allow -R

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# xend_var_lib_t, virt_etc_t, xenfs_t, virt_etc_rw_t, virt_image_type, ssh_home_t

allow virsh_t root_t:dir write;

"
Comment 1 Peter H. Jones 2012-05-28 08:35:56 EDT
Tried to assign "xm" as a component, as per bug 81528, but xm is not available as a component name.
Comment 2 Michael Young 2012-05-29 10:22:41 EDT
What were you doing to trigger this?
Comment 3 Peter H. Jones 2012-06-29 12:15:31 EDT
Starting ABRT, aftter seeing its icon at the bottom of my LXDE screen
Comment 4 Michael Young 2012-06-29 12:24:16 EDT
(In reply to comment #3)
> Starting ABRT, aftter seeing its icon at the bottom of my LXDE screen

abrt is just reporting the error. I was wondering what you were doing to cause the error in the first place. It will be something to do with attempting to run a virtual server.
Comment 5 Peter H. Jones 2012-10-26 23:16:27 EDT
The message appears in my /var/log/messages file, which is posted at
https://bugzilla.redhat.com/attachment.cgi?id=634114 as an attachment to bug 857458. So I'm not doing special AFAIK.
Comment 6 Fedora Update System 2012-11-23 07:57:45 EST
xen-4.1.3-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/xen-4.1.3-5.fc16
Comment 7 Michael Young 2012-11-23 09:01:19 EST
xen-4.1.3-5.fc16 has some selinux related fixes that were in packages for later fedora versions that I think might help your problem.
Comment 8 Fedora Update System 2012-11-23 22:34:29 EST
Package xen-4.1.3-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xen-4.1.3-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18967/xen-4.1.3-5.fc16
then log in and leave karma (feedback).
Comment 9 Peter H. Jones 2012-11-26 16:24:03 EST
Still getting messages. I have installed:
xen-doc-4.1.3-4.fc16.x86_64
xen-licenses-4.1.3-4.fc16.x86_64
netxen-firmware-4.0.534-4.fc15.noarch
xen-hypervisor-4.1.3-4.fc16.x86_64
xen-runtime-4.1.3-5.fc16.x86_64
xen-libs-4.1.3-5.fc16.x86_64
xen-4.1.3-5.fc16.x86_64

I get three selinux messages at bootup. Here they are:


================================= message 1 =============================
SELinux is preventing /usr/bin/python2.7 from write access on the directory /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python2.7 should be allowed write access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virsh_t:s0
Target Context                system_u:object_r:root_t:s0
Target Objects                / [ dir ]
Source                        xm
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          toshlocalhost.localdomain
Source RPM Packages           python-2.7.3-4.fc16.x86_64
Target RPM Packages           filesystem-2.4.44-1.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-96.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     toshlocalhost.localdomain
Platform                      Linux toshlocalhost.localdomain
                              3.6.6-1.fc16.x86_64 #1 SMP Mon Nov 5 16:56:43 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 26 Nov 2012 05:13:17 PM EST
Last Seen                     Mon 26 Nov 2012 05:13:17 PM EST
Local ID                      125fa22c-82e7-4465-9af0-fc3bae1bad5c

Raw Audit Messages
type=AVC msg=audit(1353967997.738:52): avc:  denied  { write } for  pid=1012 comm="xm" name="/" dev="sda9" ino=2 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir


type=SYSCALL msg=audit(1353967997.738:52): arch=x86_64 syscall=open success=no exit=EACCES a0=1ee6c50 a1=200c2 a2=180 a3=20 items=0 ppid=1011 pid=1012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xm exe=/usr/bin/python2.7 subj=system_u:system_r:virsh_t:s0 key=(null)

Hash: xm,virsh_t,root_t,dir,write

audit2allow

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# ssh_home_t, xend_var_lib_t, xenfs_t, virt_etc_t, virt_etc_rw_t, virt_image_type

allow virsh_t root_t:dir write;

audit2allow -R

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# ssh_home_t, xend_var_lib_t, xenfs_t, virt_etc_t, virt_etc_rw_t, virt_image_type

allow virsh_t root_t:dir write;


========================================= message 2 =====================
SELinux is preventing /usr/bin/python2.7 from write access on the directory /var/tmp.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python2.7 should be allowed write access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virsh_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /var/tmp [ dir ]
Source                        xm
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          toshlocalhost.localdomain
Source RPM Packages           python-2.7.3-4.fc16.x86_64
Target RPM Packages           filesystem-2.4.44-1.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-96.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     toshlocalhost.localdomain
Platform                      Linux toshlocalhost.localdomain
                              3.6.6-1.fc16.x86_64 #1 SMP Mon Nov 5 16:56:43 UTC
                              2012 x86_64 x86_64
Alert Count                   3
First Seen                    Mon 26 Nov 2012 05:13:17 PM EST
Last Seen                     Mon 26 Nov 2012 05:13:17 PM EST
Local ID                      b73a6b84-7837-4cbe-b95b-e0ec61ef3814

Raw Audit Messages
type=AVC msg=audit(1353967997.737:51): avc:  denied  { write } for  pid=1012 comm="xm" name="tmp" dev="sda9" ino=1044516 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir


type=SYSCALL msg=audit(1353967997.737:51): arch=x86_64 syscall=open success=no exit=EACCES a0=1ee6c50 a1=200c2 a2=180 a3=20 items=0 ppid=1011 pid=1012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xm exe=/usr/bin/python2.7 subj=system_u:system_r:virsh_t:s0 key=(null)

Hash: xm,virsh_t,tmp_t,dir,write

audit2allow

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# ssh_home_t, xend_var_lib_t, xenfs_t, virt_etc_t, virt_etc_rw_t, virt_image_type

allow virsh_t tmp_t:dir write;

audit2allow -R

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# ssh_home_t, xend_var_lib_t, xenfs_t, virt_etc_t, virt_etc_rw_t, virt_image_type

allow virsh_t tmp_t:dir write;

============================== message 3 ===============================
SELinux is preventing /usr/bin/python2.7 from write access on the directory /var/log/xen.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python2.7 should be allowed write access on the xen directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virsh_t:s0
Target Context                system_u:object_r:xend_var_log_t:s0
Target Objects                /var/log/xen [ dir ]
Source                        xm
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          toshlocalhost.localdomain
Source RPM Packages           python-2.7.3-4.fc16.x86_64
Target RPM Packages           xen-runtime-4.1.3-5.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-96.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     toshlocalhost.localdomain
Platform                      Linux toshlocalhost.localdomain
                              3.6.6-1.fc16.x86_64 #1 SMP Mon Nov 5 16:56:43 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 26 Nov 2012 05:13:17 PM EST
Last Seen                     Mon 26 Nov 2012 05:13:17 PM EST
Local ID                      6c1f18b7-e3b4-46e2-ac46-f40bdd7ea3c9

Raw Audit Messages
type=AVC msg=audit(1353967997.682:48): avc:  denied  { write } for  pid=1012 comm="xm" name="xen" dev="sda9" ino=391854 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1353967997.682:48): arch=x86_64 syscall=open success=no exit=EACCES a0=1ec0f80 a1=441 a2=1b6 a3=238 items=0 ppid=1011 pid=1012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xm exe=/usr/bin/python2.7 subj=system_u:system_r:virsh_t:s0 key=(null)

Hash: xm,virsh_t,xend_var_log_t,dir,write

audit2allow

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# ssh_home_t, xend_var_lib_t, xenfs_t, virt_etc_t, virt_etc_rw_t, virt_image_type

allow virsh_t xend_var_log_t:dir write;

audit2allow -R

#============= virsh_t ==============
#!!!! The source type 'virsh_t' can write to a 'dir' of the following types:
# ssh_home_t, xend_var_lib_t, xenfs_t, virt_etc_t, virt_etc_rw_t, virt_image_type

allow virsh_t xend_var_log_t:dir write;

===================== end of messages ======================================
Comment 10 Peter H. Jones 2012-11-28 10:06:42 EST
Just rebooted with kernel-3.6.7-4.fc16.x86_64 . Still seeing messages. No ABRT is occurring.
Comment 11 Fedora Update System 2012-12-02 21:32:45 EST
xen-4.1.3-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Cole Robinson 2012-12-03 17:20:29 EST
Sounds like there's still issues, setting back to NEW.
Comment 13 Fedora End Of Life 2013-01-16 10:09:18 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Cole Robinson 2013-02-11 16:42:52 EST
Peter, as mentioned above, F16 is about to become unsupported. If you can still reproduce selinux issues with F18, please open a new bug to track them.

Note You need to log in before you can comment on or make changes to this bug.