New submission from Nick Levinson:
Suddenly, SELinux in my Fedora 20 Linux laptop is reporting many problems with
/usr/bin/python2.7 and I don't know if there's a bug in python2.7 or if
something else is going on. File/s or directory/ies on which writes were
attempted were on unspecified file/s or drectory/ies. Thirteen alerts occurred
within the same minute soon after a cold boot, although I at first thought it
was only one alert until I clicked buttons. Each alert apparently represents
multiple alert-worthy events. Following are the data reported by SELinux,
separated by rows of equals signs.
=
Occurred 12 later occurred 7 (I assume 12 and 7 times, respectively,
unless the numbers mean something else):
=
SELinux is preventing /usr/bin/python2.7 from using the dac_override capability.
* Plugin dac_override (91.4 confidence) suggests **
If you want to help identify if domain needs this access or you have a file
with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and
generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
* Plugin catchall (9.59 confidence) suggests **
If you believe that python2.7 should have the dac_override capability by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextsystem_u:system_r:blueman_t:s0-s0:c0.c1023
Target Contextsystem_u:system_r:blueman_t:s0-s0:c0.c1023
Target Objects [ capability ]
Sourcepython
Source Path /usr/bin/python2.7
Port Unknown
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 12
First Seen2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID 146e4bfb-abdf-44a1-86da-3b538f53fac8
Raw Audit Messages
type=AVC msg=audit(1435525489.77:442): avc: denied { dac_override } for
pid=2232 comm=python capability=1
scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023
tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=capability
permissive=0
type=SYSCALL msg=audit(1435525489.77:442): arch=x86_64 syscall=access
success=no exit=EACCES a0=7ffcd4229aba a1=2 a2=0 a3=79 items=0 ppid=2231
pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7
subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,blueman_t,capability,dac_override
=
Occurred 7:
=
SELinux is preventing /usr/bin/python2.7 from execute access on the file .
* Plugin catchall (100. confidence) suggests **
If you believe that python2.7 should be allowed execute access on the file by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextsystem_u:system_r:blueman_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:blueman_var_run_t:s0
Target Objects [ file ]
Sourcepython
Source Path /usr/bin/python2.7
Port Unknown
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 7
First Seen2015-06-28 11:16:53 EDT
Last Seen 2015-06-28
