New submission from Nick Levinson: Suddenly, SELinux in my Fedora 20 Linux laptop is reporting many problems with /usr/bin/python2.7 and I don't know if there's a bug in python2.7 or if something else is going on. File/s or directory/ies on which writes were attempted were on unspecified file/s or drectory/ies. Thirteen alerts occurred within the same minute soon after a cold boot, although I at first thought it was only one alert until I clicked buttons. Each alert apparently represents multiple alert-worthy events. Following are the data reported by SELinux, separated by rows of equals signs.
===== Occurred "12" & later occurred "7" (I assume 12 and 7 times, respectively, unless the numbers mean something else): ===== SELinux is preventing /usr/bin/python2.7 from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that python2.7 should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep python /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023 Target Context system_u:system_r:blueman_t:s0-s0:c0.c1023 Target Objects [ capability ] Source python Source Path /usr/bin/python2.7 Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7.5-16.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-197.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 Alert Count 12 First Seen 2015-06-28 11:16:53 EDT Last Seen 2015-06-28 17:04:49 EDT Local ID 146e4bfb-abdf-44a1-86da-3b538f53fac8 Raw Audit Messages type=AVC msg=audit(1435525489.77:442): avc: denied { dac_override } for pid=2232 comm="python" capability=1 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=capability permissive=0 type=SYSCALL msg=audit(1435525489.77:442): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffcd4229aba a1=2 a2=0 a3=79 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null) Hash: python,blueman_t,blueman_t,capability,dac_override ===== Occurred "7": ===== SELinux is preventing /usr/bin/python2.7 from execute access on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed execute access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep python /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023 Target Context system_u:object_r:blueman_var_run_t:s0 Target Objects [ file ] Source python Source Path /usr/bin/python2.7 Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7.5-16.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-197.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 Alert Count 7 First Seen 2015-06-28 11:16:53 EDT Last Seen 2015-06-28 17:04:49 EDT Local ID 76953ff5-42e6-4c2b-a057-cd59b586dd12 Raw Audit Messages type=AVC msg=audit(1435525489.78:445): avc: denied { execute } for pid=2232 comm="python" path=2F72756E2F66666971584B4A3755202864656C6574656429 dev="tmpfs" ino=32567 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:blueman_var_run_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1435525489.78:445): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null) Hash: python,blueman_t,blueman_var_run_t,file,execute ===== Occurred "7": ===== SELinux is preventing /usr/bin/python2.7 from write access on the directory . ***** Plugin setenforce (91.4 confidence) suggests ************************ If you believe /usr/bin/python2.7 tried to disable SELinux. Then you may be under attack by a hacker, since confined applications should never need this access. Do contact your security administrator and report this issue. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that python2.7 should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep python /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023 Target Context system_u:object_r:security_t:s0 Target Objects [ dir ] Source python Source Path /usr/bin/python2.7 Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7.5-16.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-197.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 Alert Count 7 First Seen 2015-06-28 11:16:53 EDT Last Seen 2015-06-28 17:04:49 EDT Local ID 09c40fd9-63ae-4dcb-8ff7-e7e496102bde Raw Audit Messages type=AVC msg=audit(1435525489.79:448): avc: denied { write } for pid=2232 comm="python" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1435525489.79:448): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffcd4229aba a1=2 a2=0 a3=0 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null) Hash: python,blueman_t,security_t,dir,write ===== Occurred "8" and, if that's a count of occurrences, 69 more times (77 total): ===== SELinux is preventing /usr/bin/python2.7 from write access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep python /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023 Target Context system_u:object_r:debugfs_t:s0 Target Objects [ dir ] Source python Source Path /usr/bin/python2.7 Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7.5-16.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-197.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64 #1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64 Alert Count 8 First Seen 2015-06-28 11:16:53 EDT Last Seen 2015-06-28 17:04:49 EDT Local ID afd472d0-9c1a-4b15-bd94-3eaefd0382d4 Raw Audit Messages type=AVC msg=audit(1435525489.80:451): avc: denied { write } for pid=2232 comm="python" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1435525489.80:451): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffcd4229ab8 a1=2 a2=0 a3=0 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null) Hash: python,blueman_t,debugfs_t,dir,write ===== ---------- messages: 245975 nosy: Nick priority: normal severity: normal status: open title: SELinux reporting writes, executes, and dac_overwrites type: security versions: Python 2.7 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24535> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com