Additional info: libreport version: 2.0.18 kernel: 3.6.5-2.fc18.x86_64 description: :SELinux is preventing /usr/bin/python2.7 from using the 'execmem' accesses on a process. : :***** Plugin catchall (100. confidence) suggests *************************** : :If jeśli python2.7 powinno mieć domyślnie execmem dostęp do procesów z etykietami blueman_t. :Then proszę to zgłosić jako błąd. :Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. :Do :można tymczasowo zezwolić na ten dostęp wykonując polecenia: :# grep blueman-mechani /var/log/audit/audit.log | audit2allow -M mojapolityka :# semodule -i mojapolityka.pp : :Additional Information: :Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023 :Target Context system_u:system_r:blueman_t:s0-s0:c0.c1023 :Target Objects [ process ] :Source blueman-mechani :Source Path /usr/bin/python2.7 :Port <Nieznane> :Host (removed) :Source RPM Packages python-2.7.3-13.fc18.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.11.1-46.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.5-2.fc18.x86_64 #1 SMP Thu Nov : 1 00:39:17 UTC 2012 x86_64 x86_64 :Alert Count 8 :First Seen 2012-11-03 15:38:25 CET :Last Seen 2012-11-04 08:14:44 CET :Local ID 38d70e7f-fafe-4013-90d3-4395960bdd53 : :Raw Audit Messages :type=AVC msg=audit(1352013284.522:72): avc: denied { execmem } for pid=1304 comm="blueman-mechani" scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=process : : :type=SYSCALL msg=audit(1352013284.522:72): arch=x86_64 syscall=mmap success=no exit=EACCES a0=7fa62731d000 a1=3d000 a2=7 a3=812 items=0 ppid=1303 pid=1304 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=blueman-mechani exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null) : :Hash: blueman-mechani,blueman_t,blueman_t,process,execmem : :audit2allow : :#============= blueman_t ============== :allow blueman_t self:process execmem; : :audit2allow -R : :#============= blueman_t ============== :allow blueman_t self:process execmem; :
Created attachment 637905 [details] File: type
Created attachment 637906 [details] File: hashmarkername
blueman should not required this access. http://www.akkadia.org/drepper/selinux-mem.html Or does it relate with Java?
Is blueman-mechanism using ctypes? to call into cfunctions.
A grep for "ctypes" in blueman's source tree shows that: blueman-1.23/blueman/main/PulseAudioUtils.py uses ctypes throughout to "manually" wrap pulseaudio: libpulse = CDLL("libpulse.so.0") libpulse_glib = CDLL("libpulse-mainloop-glib.so.0") etc. In particular, there are a few places that use callbacks: it's the mechanism that for passing a Python function to a C function expecting a C callback that triggers the need for execmem iirc.
Ok just checked in a fix into the master. Miroslav will back port into Fedora 18.
Added.
Did nothing manually... this appears to be a problem with the defaults of the package Package: (null) OS Release: Fedora release 18 (Spherical Cow)
I have actived enforces SELinux policies. Maybe blueman has a bug? Or it really should access audit logs. Package: (null) OS Release: Fedora release 18 (Spherical Cow)
Well this is a bug in selinux-policy, since blueman uses ctypes python module, and this python module requires execmem to work. I guess you could argue that blueman should work to build native bindings to the C Functions they are trying to use.
Hi. I'm closing this bug as Blueman has been retired from Fedora.