SELinux is preventing pyzor from getattr access on the file /usr/bin/rpm

Tom Rivers tom at impact-crater.com
Mon Aug 31 18:28:52 UTC 2015 

Hello!

I have posted information regarding the error message I'm seeing at 
Github.com in the Pyzor forum located here:

https://github.com/SpamExperts/pyzor/issues/41#issuecomment-135539930

Basically, I was looking at the output of "journalctl -f" on my Fedora 
21 system while trying to fine tune SpamAssassin the other day and found 
the following:


Aug 27 09:33:16 impact-crater.com spamd[20895]: spamd: processing 
message <20150827133258.6E19C61B70D1 at bastion01.phx2.fedoraproject.org> 
for sa-milt:986
Aug 27 09:33:17 impact-crater.com python[22066]: detected unhandled 
Python exception in '/usr/bin/pyzor'
Aug 27 09:33:17 impact-crater.com setroubleshoot[7528]: SELinux is 
preventing pyzor from getattr access on the file /usr/bin/rpm. For 
complete SELinux messages. run sealert -l 
09532028-c2c0-472e-b39f-c52ef00c5dc6
Aug 27 09:33:17 impact-crater.com python[7528]: SELinux is preventing 
pyzor from getattr access on the file /usr/bin/rpm.


Running the sealert command referenced above yields the following:


SELinux is preventing pyzor from getattr access on the file /usr/bin/rpm.

*****  Plugin catchall (100. confidence) suggests 
**************************

If you believe that pyzor should be allowed getattr access on the rpm 
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pyzor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:spamc_t:s0
Target Context system_u:object_r:rpm_exec_t:s0
Target Objects                /usr/bin/rpm [ file ]
Source                        pyzor
Source Path                   pyzor
Port                          <Unknown>
Host                          impact-crater.com
Source RPM Packages
Target RPM Packages           rpm-4.12.0.1-7.fc21.x86_64
Policy RPM selinux-policy-3.13.1-105.20.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     impact-crater.com
Platform                      Linux impact-crater.com 
4.1.5-100.fc21.x86_64 #1
                               SMP Tue Aug 11 00:24:23 UTC 2015 x86_64 
x86_64
Alert Count                   33
First Seen                    2015-08-27 08:35:55 EDT
Last Seen                     2015-08-27 09:36:08 EDT
Local ID 09532028-c2c0-472e-b39f-c52ef00c5dc6

Raw Audit Messages
type=AVC msg=audit(1440682568.916:5869): avc:  denied  { getattr } for  
pid=22308 comm="pyzor" path="/usr/bin/rpm" dev="dm-1" ino=1977835 
scontext=system_u:system_r:spamc_t:s0 
tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0

Hash: pyzor,spamc_t,rpm_exec_t,file,getattr


Here is some relevant system info with respect to the system in question:


kernel-4.1.5-100.fc21.x86_64
pyzor-0.5.0-10.fc21.noarch
Python 2.7.8 (default, Apr 15 2015, 09:26:43)
[GCC 4.9.2 20150212 (Red Hat 4.9.2-6)] on linux2


One of the guys at Github who initially responded indicated that, 
"There's nothing in Pyzor that would try to access /usr/bin/rpm."  
Evidently SELinux is upset at something so I figured it would be a good 
idea to also post on this list to see if anyone here knows anything I 
can do to help identify what's happening.

Thanks!


Tom

More information about the selinux mailing list