Bug 866286 - SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:d31b727560eb3d44642f0b62e43...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-14 23:09 EDT by Claudiomar Rodrigues
Modified: 2013-02-02 09:41 EST (History)
29 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 11:29:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-14 23:09 EDT, Claudiomar Rodrigues
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-14 23:09 EDT, Claudiomar Rodrigues
no flags Details

  None (edit)
Description Claudiomar Rodrigues 2012-10-14 23:09:25 EDT
Additional info:
libreport version: 2.0.16
kernel:         3.6.1-1.fc17.x86_64

description:
:SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If você acredita que o python2.7 deva ser permitido a capacidade de sys_nice  por default.
:Then você precisa reportar este como um erro.
:Você pode gerar um módulo de política local para permitir este acesso.
:Do
:permitir este acesso agora executando:
:# grep hpfax /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        hpfax
:Source Path                   /usr/bin/python2.7
:Port                          <Desconhecido>
:Host                          (removed)
:Source RPM Packages           python-2.7.3-7.2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-153.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc17.x86_64 #1 SMP Wed Oct
:                              10 12:13:05 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-14 14:58:24 BRT
:Last Seen                     2012-10-14 14:58:24 BRT
:Local ID                      56f6829a-7764-4045-970d-54fb1e364e36
:
:Raw Audit Messages
:type=AVC msg=audit(1350237504.314:113): avc:  denied  { sys_nice } for  pid=10280 comm="hpfax" capability=23  scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=AVC msg=audit(1350237504.314:113): avc:  denied  { setsched } for  pid=10280 comm="hpfax" scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=process
:
:
:type=SYSCALL msg=audit(1350237504.314:113): arch=x86_64 syscall=sched_setscheduler success=yes exit=0 a0=2828 a1=0 a2=7fffe1afcf60 a3=1 items=0 ppid=10276 pid=10280 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hpfax exe=/usr/bin/python2.7 subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)
:
:Hash: hpfax,hplip_t,hplip_t,capability,sys_nice
:
:audit2allow
:
:#============= hplip_t ==============
:allow hplip_t self:capability sys_nice;
:allow hplip_t self:process setsched;
:
:audit2allow -R
:
:#============= hplip_t ==============
:allow hplip_t self:capability sys_nice;
:allow hplip_t self:process setsched;
:
Comment 1 Claudiomar Rodrigues 2012-10-14 23:09:29 EDT
Created attachment 627168 [details]
File: type
Comment 2 Claudiomar Rodrigues 2012-10-14 23:09:32 EDT
Created attachment 627169 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-10-15 04:41:33 EDT
allow $1 self:capability sys_nice;
allow $1 self:process setsched;

It looks more and more domains want to add this access.
Comment 4 Daniel Walsh 2012-10-16 00:01:00 EDT
/* Allow raising priority and setting priority on other (different
   UID) processes */
/* Allow use of FIFO and round-robin (realtime) scheduling on own
   processes and setting the scheduling algorithm used by another
   process. */
/* Allow setting cpu affinity on other processes */

I wonder which one of these would cause it?
Comment 5 Miroslav Grepl 2012-10-16 08:06:01 EDT
Tim, 
any idea?
Comment 6 Tim Waugh 2012-10-17 06:59:43 EDT
No, I can't see what could cause that.

Claudiomar: what does 'rpm -q hplip' say?
Comment 7 Colin J Thomson 2012-10-22 17:53:26 EDT
The alert happens a soon as the printer has been powered up.
I had not seen this before and as I dont use the printer much so I cannot say which updates caused this.
HP Deskjet F4500 series printer


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 8 Colin J Thomson 2012-10-22 17:57:22 EDT
(In reply to comment #6)
> No, I can't see what could cause that.
> 
> Claudiomar: what does 'rpm -q hplip' say?

On this box I have hplip-3.12.9-6.fc17.x86_64
Comment 9 Vít Ondruch 2012-10-23 02:51:26 EDT
I was trying to add a printer.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 10 Vít Ondruch 2012-10-23 02:52:45 EDT
]$ rpm -q hplip
hplip-3.12.10-4.a.fc18.x86_64
Comment 11 Miroslav Grepl 2012-10-23 08:09:47 EDT
Actually this is clear.

syscall=sched_setscheduler

Added to F17.
Comment 12 RichPitts 2012-10-24 04:25:00 EDT
Machine was brought bacj from sleep no idea how this happened

 https://bugzilla.redhat.com/show_bug.cgi?id=865603 is applied


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 13 Mihai Harpau 2012-10-26 08:21:51 EDT
I am installing a SMB printer with system-config-printer

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 14 Daniel Walsh 2012-10-26 13:55:32 EDT
Mihai was your machine in enforcing mode?  Was it successful?
Comment 15 Mihai Harpau 2012-10-26 14:07:50 EDT
Yes, I was in enforcing mode and the printer was installed successfully.
Comment 16 Daniel Walsh 2012-10-26 14:25:04 EDT
I think we should dontaudit this.
Comment 17 Mario Kothe 2012-10-26 14:42:23 EDT
Tried to setup a printer in the KDE System Settings

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 18 RichPitts 2012-10-29 17:50:28 EDT
Returning from sleep... came up after accessing kwallet

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 19 Miroslav Grepl 2012-10-29 18:12:04 EDT
Added.
Comment 20 Jan Vlug 2012-11-01 16:15:20 EDT
I installed a fresh Fedora 17.
I copied the /home folder of the old system (Fedora 16) to the new disk.
I ran rdiff-backup.


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 21 Douglas Furlong 2012-11-02 05:24:47 EDT
This error occured when plugging a Brother HL-5150D rinter in to a USB port.

Package: (null)
Architecture: i686
OS Release: Fedora release 17 (Beefy Miracle)
Comment 22 John Griffiths 2012-11-02 12:12:50 EDT
This happens every time I access cups; localhost:631

Package: (null)
Architecture: i686
OS Release: Fedora release 17 (Beefy Miracle)
Comment 23 Hans-Dieter Schlabritz 2012-11-04 03:37:06 EST
The error occurs right now after the login.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 24 Patrice FERLET 2012-11-04 09:52:25 EST
Third error, hplip error... tried to setup a wireless printer and... crash

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 25 Tim Waugh 2012-11-05 06:20:09 EST
Correcting component and clearing needinfo flag.
Comment 26 Fedora Update System 2012-11-06 03:22:31 EST
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 27 Fedora Update System 2012-11-07 21:04:56 EST
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 28 Tim Waugh 2012-11-13 07:16:46 EST
Works here.
Comment 29 Mario Kothe 2012-11-13 13:33:11 EST
Can not say if the patch works. To many other things in KDE 4.9 in Fedora are broken to test it. 
I am not able to start the printer install. 

Printer install stops with the error "The service 'Printer Configuration' does not provide an interface 'KCModule'......

Reinstalling the mentioned packages does nothing. 

Not related to this bug but amarok is broken too. But thats another story. 

So far the experience with Fedora 17 is horrible to say the least.
Comment 30 Fedora Update System 2012-12-20 11:29:07 EST
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.