[New-bugs-announce] [issue24535] SELinux reporting writes, executes, and dac_overwrites
Nick Levinson
report at bugs.python.org
Tue Jun 30 05:56:36 CEST 2015
New submission from Nick Levinson:
Suddenly, SELinux in my Fedora 20 Linux laptop is reporting many problems with /usr/bin/python2.7 and I don't know if there's a bug in python2.7 or if something else is going on. File/s or directory/ies on which writes were attempted were on unspecified file/s or drectory/ies. Thirteen alerts occurred within the same minute soon after a cold boot, although I at first thought it was only one alert until I clicked buttons. Each alert apparently represents multiple alert-worthy events. Following are the data reported by SELinux, separated by rows of equals signs.
=====
Occurred "12" & later occurred "7" (I assume 12 and 7 times, respectively, unless the numbers mean something else):
=====
SELinux is preventing /usr/bin/python2.7 from using the dac_override capability.
***** Plugin dac_override (91.4 confidence) suggests **********************
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that python2.7 should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Objects [ capability ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 12
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID 146e4bfb-abdf-44a1-86da-3b538f53fac8
Raw Audit Messages
type=AVC msg=audit(1435525489.77:442): avc: denied { dac_override } for pid=2232 comm="python" capability=1 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=capability permissive=0
type=SYSCALL msg=audit(1435525489.77:442): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffcd4229aba a1=2 a2=0 a3=79 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,blueman_t,capability,dac_override
=====
Occurred "7":
=====
SELinux is preventing /usr/bin/python2.7 from execute access on the file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed execute access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:object_r:blueman_var_run_t:s0
Target Objects [ file ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 7
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID 76953ff5-42e6-4c2b-a057-cd59b586dd12
Raw Audit Messages
type=AVC msg=audit(1435525489.78:445): avc: denied { execute } for pid=2232 comm="python" path=2F72756E2F66666971584B4A3755202864656C6574656429 dev="tmpfs" ino=32567 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:blueman_var_run_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1435525489.78:445): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=1000 a2=5 a3=1 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,blueman_var_run_t,file,execute
=====
Occurred "7":
=====
SELinux is preventing /usr/bin/python2.7 from write access on the directory .
***** Plugin setenforce (91.4 confidence) suggests ************************
If you believe /usr/bin/python2.7 tried to disable SELinux.
Then you may be under attack by a hacker, since confined applications should never need this access.
Do
contact your security administrator and report this issue.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that python2.7 should be allowed write access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:object_r:security_t:s0
Target Objects [ dir ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 7
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID 09c40fd9-63ae-4dcb-8ff7-e7e496102bde
Raw Audit Messages
type=AVC msg=audit(1435525489.79:448): avc: denied { write } for pid=2232 comm="python" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1435525489.79:448): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffcd4229aba a1=2 a2=0 a3=0 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,security_t,dir,write
=====
Occurred "8" and, if that's a count of occurrences, 69 more times (77 total):
=====
SELinux is preventing /usr/bin/python2.7 from write access on the directory .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed write access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023
Target Context system_u:object_r:debugfs_t:s0
Target Objects [ dir ]
Source python
Source Path /usr/bin/python2.7
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.7.5-16.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.19.8-100.fc20.x86_64
#1 SMP Tue May 12 17:08:50 UTC 2015 x86_64 x86_64
Alert Count 8
First Seen 2015-06-28 11:16:53 EDT
Last Seen 2015-06-28 17:04:49 EDT
Local ID afd472d0-9c1a-4b15-bd94-3eaefd0382d4
Raw Audit Messages
type=AVC msg=audit(1435525489.80:451): avc: denied { write } for pid=2232 comm="python" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1435525489.80:451): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffcd4229ab8 a1=2 a2=0 a3=0 items=0 ppid=2231 pid=2232 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null)
Hash: python,blueman_t,debugfs_t,dir,write
=====
----------
messages: 245975
nosy: Nick
priority: normal
severity: normal
status: open
title: SELinux reporting writes, executes, and dac_overwrites
type: security
versions: Python 2.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24535>
_______________________________________
More information about the New-bugs-announce
mailing list