Bug 866286 - SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
Summary: SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:d31b727560eb3d44642f0b62e43...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-15 03:09 UTC by Claudiomar Rodrigues
Modified: 2013-02-02 14:41 UTC (History)
29 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-12-20 16:29:03 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-15 03:09 UTC, Claudiomar Rodrigues 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-15 03:09 UTC, Claudiomar Rodrigues 		no flags Details
View All

Description Claudiomar Rodrigues 2012-10-15 03:09:25 UTC 
Additional info:
libreport version: 2.0.16
kernel:         3.6.1-1.fc17.x86_64

description:
:SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If você acredita que o python2.7 deva ser permitido a capacidade de sys_nice  por default.
:Then você precisa reportar este como um erro.
:Você pode gerar um módulo de política local para permitir este acesso.
:Do
:permitir este acesso agora executando:
:# grep hpfax /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        hpfax
:Source Path                   /usr/bin/python2.7
:Port                          <Desconhecido>
:Host                          (removed)
:Source RPM Packages           python-2.7.3-7.2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-153.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc17.x86_64 #1 SMP Wed Oct
:                              10 12:13:05 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-14 14:58:24 BRT
:Last Seen                     2012-10-14 14:58:24 BRT
:Local ID                      56f6829a-7764-4045-970d-54fb1e364e36
:
:Raw Audit Messages
:type=AVC msg=audit(1350237504.314:113): avc:  denied  { sys_nice } for  pid=10280 comm="hpfax" capability=23  scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=AVC msg=audit(1350237504.314:113): avc:  denied  { setsched } for  pid=10280 comm="hpfax" scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=process
:
:
:type=SYSCALL msg=audit(1350237504.314:113): arch=x86_64 syscall=sched_setscheduler success=yes exit=0 a0=2828 a1=0 a2=7fffe1afcf60 a3=1 items=0 ppid=10276 pid=10280 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hpfax exe=/usr/bin/python2.7 subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)
:
:Hash: hpfax,hplip_t,hplip_t,capability,sys_nice
:
:audit2allow
:
:#============= hplip_t ==============
:allow hplip_t self:capability sys_nice;
:allow hplip_t self:process setsched;
:
:audit2allow -R
:
:#============= hplip_t ==============
:allow hplip_t self:capability sys_nice;
:allow hplip_t self:process setsched;
:
Comment 1 Claudiomar Rodrigues 2012-10-15 03:09:29 UTC 
Created attachment 627168 [details]
File: type
Comment 2 Claudiomar Rodrigues 2012-10-15 03:09:32 UTC 
Created attachment 627169 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-10-15 08:41:33 UTC 
allow $1 self:capability sys_nice;
allow $1 self:process setsched;

It looks more and more domains want to add this access.
Comment 4 Daniel Walsh 2012-10-16 04:01:00 UTC 
/* Allow raising priority and setting priority on other (different
   UID) processes */
/* Allow use of FIFO and round-robin (realtime) scheduling on own
   processes and setting the scheduling algorithm used by another
   process. */
/* Allow setting cpu affinity on other processes */

I wonder which one of these would cause it?
Comment 5 Miroslav Grepl 2012-10-16 12:06:01 UTC 
Tim, 
any idea?
Comment 6 Tim Waugh 2012-10-17 10:59:43 UTC 
No, I can't see what could cause that.

Claudiomar: what does 'rpm -q hplip' say?
Comment 7 Colin J Thomson 2012-10-22 21:53:26 UTC 
The alert happens a soon as the printer has been powered up.
I had not seen this before and as I dont use the printer much so I cannot say which updates caused this.
HP Deskjet F4500 series printer


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 8 Colin J Thomson 2012-10-22 21:57:22 UTC 
(In reply to comment #6)
> No, I can't see what could cause that.
> 
> Claudiomar: what does 'rpm -q hplip' say?

On this box I have hplip-3.12.9-6.fc17.x86_64
Comment 9 Vít Ondruch 2012-10-23 06:51:26 UTC 
I was trying to add a printer.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 10 Vít Ondruch 2012-10-23 06:52:45 UTC 
]$ rpm -q hplip
hplip-3.12.10-4.a.fc18.x86_64
Comment 11 Miroslav Grepl 2012-10-23 12:09:47 UTC 
Actually this is clear.

syscall=sched_setscheduler

Added to F17.
Comment 12 RichPitts 2012-10-24 08:25:00 UTC 
Machine was brought bacj from sleep no idea how this happened

 https://bugzilla.redhat.com/show_bug.cgi?id=865603 is applied


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 13 Mihai Harpau 2012-10-26 12:21:51 UTC 
I am installing a SMB printer with system-config-printer

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 14 Daniel Walsh 2012-10-26 17:55:32 UTC 
Mihai was your machine in enforcing mode?  Was it successful?
Comment 15 Mihai Harpau 2012-10-26 18:07:50 UTC 
Yes, I was in enforcing mode and the printer was installed successfully.
Comment 16 Daniel Walsh 2012-10-26 18:25:04 UTC 
I think we should dontaudit this.
Comment 17 Mario Kothe 2012-10-26 18:42:23 UTC 
Tried to setup a printer in the KDE System Settings

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 18 RichPitts 2012-10-29 21:50:28 UTC 
Returning from sleep... came up after accessing kwallet

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 19 Miroslav Grepl 2012-10-29 22:12:04 UTC 
Added.
Comment 20 Jan Vlug 2012-11-01 20:15:20 UTC 
I installed a fresh Fedora 17.
I copied the /home folder of the old system (Fedora 16) to the new disk.
I ran rdiff-backup.


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 21 Douglas Furlong 2012-11-02 09:24:47 UTC 
This error occured when plugging a Brother HL-5150D rinter in to a USB port.

Package: (null)
Architecture: i686
OS Release: Fedora release 17 (Beefy Miracle)
Comment 22 John Griffiths 2012-11-02 16:12:50 UTC 
This happens every time I access cups; localhost:631

Package: (null)
Architecture: i686
OS Release: Fedora release 17 (Beefy Miracle)
Comment 23 Hans-Dieter Schlabritz 2012-11-04 08:37:06 UTC 
The error occurs right now after the login.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 24 Patrice FERLET 2012-11-04 14:52:25 UTC 
Third error, hplip error... tried to setup a wireless printer and... crash

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 25 Tim Waugh 2012-11-05 11:20:09 UTC 
Correcting component and clearing needinfo flag.
Comment 26 Fedora Update System 2012-11-06 08:22:31 UTC 
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 27 Fedora Update System 2012-11-08 02:04:56 UTC 
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 28 Tim Waugh 2012-11-13 12:16:46 UTC 
Works here.
Comment 29 Mario Kothe 2012-11-13 18:33:11 UTC 
Can not say if the patch works. To many other things in KDE 4.9 in Fedora are broken to test it. 
I am not able to start the printer install. 

Printer install stops with the error "The service 'Printer Configuration' does not provide an interface 'KCModule'......

Reinstalling the mentioned packages does nothing. 

Not related to this bug but amarok is broken too. But thats another story. 

So far the experience with Fedora 17 is horrible to say the least.
Comment 30 Fedora Update System 2012-12-20 16:29:07 UTC 
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.