New submission from Nick Levinson:
Suddenly, SELinux in my Fedora 20 Linux laptop is reporting many problems with
/usr/bin/python2.7 and I don't know if there's a bug in python2.7 or if
something else is going on. File/s or directory/ies on which writes were
attempted were on unspecified file/s or drectory/ies. Thirteen alerts occurred
within the same minute soon after a cold boot, although I at first thought it
was only one alert until I clicked buttons. Each alert apparently represents
multiple alert-worthy events. Following are the data reported by SELinux,
separated by rows of equals signs.
=====
Occurred "12" & later occurred "7" (I assume 12 and 7 times, respectively,
unless the numbers mean something else):
=====
SELinux is preventing /usr/bin/python2.7 from using the dac_override capability.
***** Plugin dac_override (91.4 confidence) suggests **********************
If you want to help identify if domain needs this access or you have a file
with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and
generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that python2.7 should have the dac_override capability by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Objects [ capability ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 12
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID 146e4bfb-abdf-44a1-86da-3b538f53fac8
Raw Audit Messages
type=AVC msg=audit(1435525489.77:442): avc: denied { dac_override } for
pid=2232 comm="python" capability=1
scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023
tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=capability
permissive=0
type=SYSCALL msg=audit(1435525489.77:442): arch=x86_64 syscall=access
success=no exit=EACCES a0=7ffcd4229aba a1=2 a2=0 a3=79 items=0 ppid=2231
pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7
subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,blueman_t,capability,dac_override
=====
Occurred "7":
=====
SELinux is preventing /usr/bin/python2.7 from execute access on the file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed execute access on the file by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:object_r:blueman_var_run_t:s0
Target Objects [ file ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 7
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID 76953ff5-42e6-4c2b-a057-cd59b586dd12
Raw Audit Messages
type=AVC msg=audit(1435525489.78:445): avc: denied { execute } for pid=2232
comm="python" path=2F72756E2F66666971584B4A3755202864656C6574656429 dev="tmpfs"
ino=32567 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023
tcontext=system_u:object_r:blueman_var_run_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1435525489.78:445): arch=x86_64 syscall=mmap success=no
exit=EACCES a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2231 pid=2232 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm=python exe=/usr/bin/python2.7
subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,blueman_var_run_t,file,execute
=====
Occurred "7":
=====
SELinux is preventing /usr/bin/python2.7 from write access on the directory .
***** Plugin setenforce (91.4 confidence) suggests ************************
If you believe /usr/bin/python2.7 tried to disable SELinux.
Then you may be under attack by a hacker, since confined applications should
never need this access.
Do
contact your security administrator and report this issue.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that python2.7 should be allowed write access on the directory
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:object_r:security_t:s0
Target Objects [ dir ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 7
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID 09c40fd9-63ae-4dcb-8ff7-e7e496102bde
Raw Audit Messages
type=AVC msg=audit(1435525489.79:448): avc: denied { write } for pid=2232
comm="python" name="/" dev="selinuxfs" ino=1
scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1435525489.79:448): arch=x86_64 syscall=access
success=no exit=EACCES a0=7ffcd4229aba a1=2 a2=0 a3=0 items=0 ppid=2231
pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7
subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,security_t,dir,write
=====
Occurred "8" and, if that's a count of occurrences, 69 more times (77 total):
=====
SELinux is preventing /usr/bin/python2.7 from write access on the directory .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed write access on the directory
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:object_r:debugfs_t:s0
Target Objects [ dir ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 8
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID afd472d0-9c1a-4b15-bd94-3eaefd0382d4
Raw Audit Messages
type=AVC msg=audit(1435525489.80:451): avc: denied { write } for pid=2232
comm="python" name="/" dev="debugfs" ino=1
scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1435525489.80:451): arch=x86_64 syscall=access
success=no exit=EACCES a0=7ffcd4229ab8 a1=2 a2=0 a3=0 items=0 ppid=2231
pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7
subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,debugfs_t,dir,write
=====
----------
messages: 245975
nosy: Nick
priority: normal
severity: normal
status: open
title: SELinux reporting writes, executes, and dac_overwrites
type: security
versions: Python 2.7
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue24535>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
