Bug 872913 - SELinux is preventing /usr/bin/python2.7 from using the 'execmem' accesses on a process.
SELinux is preventing /usr/bin/python2.7 from using the 'execmem' accesses on...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: blueman (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Juan Manuel Rodriguez
Fedora Extras Quality Assurance
abrt_hash:ac3a48398108d9f559ded914a65...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-04 02:20 EST by bug-zilla
Modified: 2013-12-09 18:04 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-09 18:04:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-04 02:20 EST, bug-zilla
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-04 02:20 EST, bug-zilla
no flags Details

  None (edit)
Description bug-zilla 2012-11-04 02:20:50 EST
Additional info:
libreport version: 2.0.18
kernel:         3.6.5-2.fc18.x86_64

description:
:SELinux is preventing /usr/bin/python2.7 from using the 'execmem' accesses on a process.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If jeśli python2.7 powinno mieć domyślnie execmem dostęp do procesów z etykietami blueman_t.
:Then proszę to zgłosić jako błąd.
:Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
:Do
:można tymczasowo zezwolić na ten dostęp wykonując polecenia:
:# grep blueman-mechani /var/log/audit/audit.log | audit2allow -M mojapolityka
:# semodule -i mojapolityka.pp
:
:Additional Information:
:Source Context                system_u:system_r:blueman_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:blueman_t:s0-s0:c0.c1023
:Target Objects                 [ process ]
:Source                        blueman-mechani
:Source Path                   /usr/bin/python2.7
:Port                          <Nieznane>
:Host                          (removed)
:Source RPM Packages           python-2.7.3-13.fc18.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-46.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.5-2.fc18.x86_64 #1 SMP Thu Nov
:                              1 00:39:17 UTC 2012 x86_64 x86_64
:Alert Count                   8
:First Seen                    2012-11-03 15:38:25 CET
:Last Seen                     2012-11-04 08:14:44 CET
:Local ID                      38d70e7f-fafe-4013-90d3-4395960bdd53
:
:Raw Audit Messages
:type=AVC msg=audit(1352013284.522:72): avc:  denied  { execmem } for  pid=1304 comm="blueman-mechani" scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=process
:
:
:type=SYSCALL msg=audit(1352013284.522:72): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fa62731d000 a1=3d000 a2=7 a3=812 items=0 ppid=1303 pid=1304 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=blueman-mechani exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
:
:Hash: blueman-mechani,blueman_t,blueman_t,process,execmem
:
:audit2allow
:
:#============= blueman_t ==============
:allow blueman_t self:process execmem;
:
:audit2allow -R
:
:#============= blueman_t ==============
:allow blueman_t self:process execmem;
:
Comment 1 bug-zilla 2012-11-04 02:20:54 EST
Created attachment 637905 [details]
File: type
Comment 2 bug-zilla 2012-11-04 02:20:56 EST
Created attachment 637906 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-11-05 05:56:25 EST
blueman should not required this access.

http://www.akkadia.org/drepper/selinux-mem.html

Or does it relate with Java?
Comment 4 Daniel Walsh 2013-01-08 09:07:58 EST
Is blueman-mechanism using ctypes?  to call into cfunctions.
Comment 5 Dave Malcolm 2013-01-08 11:02:13 EST
A grep for "ctypes" in blueman's source tree shows that:
  blueman-1.23/blueman/main/PulseAudioUtils.py
uses ctypes throughout to "manually" wrap pulseaudio:

   libpulse = CDLL("libpulse.so.0")
   libpulse_glib = CDLL("libpulse-mainloop-glib.so.0")

etc.

In particular, there are a few places that use callbacks: it's the mechanism that for passing a Python function to a C function expecting a C callback that triggers the need for execmem iirc.
Comment 6 Daniel Walsh 2013-01-08 17:14:30 EST
Ok just checked in a fix into the master.  Miroslav will back port into Fedora 18.
Comment 7 Miroslav Grepl 2013-01-10 08:51:29 EST
Added.
Comment 8 joshua 2013-01-17 08:39:07 EST
Did nothing manually... this appears to be a problem with the defaults of the package

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 9 Guillaume Poirier-Morency 2013-01-18 00:49:21 EST
I have actived enforces SELinux policies. Maybe blueman has a bug? Or it really should access audit logs.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 10 Daniel Walsh 2013-01-18 10:55:29 EST
Well this is a bug in selinux-policy, since blueman uses ctypes python module, and this python module requires execmem to work.  I guess you could argue that blueman should work to build native bindings to the C Functions they are trying to use.
Comment 11 Juan Manuel Rodriguez 2013-12-09 18:04:54 EST
Hi. I'm closing this bug as Blueman has been retired from Fedora.

Note You need to log in before you can comment on or make changes to this bug.