Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2027044 - SELinux is preventing blueman-mechani from 'read' accesses on the directory site-packages.
Summary: SELinux is preventing blueman-mechani from 'read' accesses on the directory s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Milos Malik
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:c23012ee74831add72f20947416...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-27 11:21 UTC by Naadir Jeewa
Modified: 2023-10-24 13:41 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-36.15-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-22 01:17:11 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1372 0 None open blueman-mechanism can read ~/.local/lib/python*/site-packages directory 2022-09-07 08:16:20 UTC

Description Naadir Jeewa 2021-11-27 11:21:06 UTC
Description of problem:
SELinux is preventing blueman-mechani from 'read' accesses on the directory site-packages.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that blueman-mechani should be allowed read access on the site-packages directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'blueman-mechani' --raw | audit2allow -M my-bluemanmechani
# semodule -X 300 -i my-bluemanmechani.pp

Additional Information:
Source Context                system_u:system_r:blueman_t:s0
Target Context                unconfined_u:object_r:gconf_home_t:s0
Target Objects                site-packages [ dir ]
Source                        blueman-mechani
Source Path                   blueman-mechani
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.5-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.5-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.14.18-300.fc35.x86_64 #1 SMP Fri
                              Nov 12 16:43:17 UTC 2021 x86_64 x86_64
Alert Count                   20
First Seen                    2021-11-25 00:51:48 UTC
Last Seen                     2021-11-27 09:37:26 UTC
Local ID                      7ea96bad-7a5a-4840-a558-401e9437597e

Raw Audit Messages
type=AVC msg=audit(1638005846.181:727): avc:  denied  { read } for  pid=5189 comm="blueman-mechani" name="site-packages" dev="dm-0" ino=417663 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0


Hash: blueman-mechani,blueman_t,gconf_home_t,dir,read

Version-Release number of selected component:
selinux-policy-targeted-35.5-1.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.14.18-300.fc35.x86_64
type:           libreport

Potential duplicate: bug 957539

Comment 1 Nat W. Garrison, Jr. 2022-05-14 20:25:38 UTC
I'm having this SELinux problem with my newly installed Fedora 36.  I believe it has something to do with the BlueTooth.  BlueTooth is enabled but I can't connect it to my BlueTooth Logitech mouse.

Comment 2 Nikola Knazekova 2022-09-06 08:49:55 UTC
Hi Naadir,

Can you please enable full auditing and reproduce it again?

Open /etc/audit/rules.d/audit.rules file in an editor.

 1. Remove following line if it exists:

-a task,never

 2. Add following line at the end of the file:

-w /etc/shadow -p w

 3. Restart the audit daemon:

 # service auditd restart

Thank you

Nikola

Comment 3 Milos Malik 2022-09-06 09:08:16 UTC
The gconf_home_t label in the tcontext= part of the SELinux denial indicates that there is a directory called "site-packages" located under ~/.local/ directory.

# matchpathcon /root/.local
/root/.local	system_u:object_r:gconf_home_t:s0
# matchpathcon /home/user/.local
/home/user/.local	unconfined_u:object_r:gconf_home_t:s0
#

Do you have a directory called site-packages in your home directory or in root's home directory?

# find /home /root -type d -name site-packages

Thank you.

Comment 4 Milos Malik 2022-09-06 10:20:23 UTC
Reproducible on my Fedora 36 when the /root/.local/lib/python3.10/site-packages directory exists:

# python --version
Python 3.10.6
# find /root/.local/lib/
/root/.local/lib/
/root/.local/lib/python3.10
/root/.local/lib/python3.10/site-packages
# service blueman-mechanism start
Redirecting to /bin/systemctl start blueman-mechanism.service
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(09/06/2022 12:16:33.623:374) : proctitle=/usr/bin/python3 /usr/libexec/blueman-mechanism 
type=PATH msg=audit(09/06/2022 12:16:33.623:374) : item=0 name=/root/.local/lib/python3.10/site-packages inode=834955 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:gconf_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 12:16:33.623:374) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 12:16:33.623:374) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f8e0f4f4640 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1998 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=blueman-mechani exe=/usr/bin/python3.10 subj=system_u:system_r:blueman_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 12:16:33.623:374) : avc:  denied  { read } for  pid=1998 comm=blueman-mechani name=site-packages dev="vda2" ino=834955 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/06/2022 12:16:33.623:375) : proctitle=/usr/bin/python3 /usr/libexec/blueman-mechanism 
type=PATH msg=audit(09/06/2022 12:16:33.623:375) : item=0 name=/root/.local/lib/python3.10/site-packages inode=834955 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:gconf_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 12:16:33.623:375) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 12:16:33.623:375) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f8e0f52dcc0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1998 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=blueman-mechani exe=/usr/bin/python3.10 subj=system_u:system_r:blueman_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 12:16:33.623:375) : avc:  denied  { read } for  pid=1998 comm=blueman-mechani name=site-packages dev="vda2" ino=834955 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 
----

I believe that other Python programs would like to access that directory too.

# file /usr/libexec/blueman-mechanism
/usr/libexec/blueman-mechanism: Python script, ASCII text executable
#

Comment 5 Milos Malik 2022-09-06 10:23:18 UTC
The only SELinux denial that appeared in permissive mode is:
---
type=PROCTITLE msg=audit(09/06/2022 12:21:49.845:384) : proctitle=/usr/bin/python3 /usr/libexec/blueman-mechanism 
type=PATH msg=audit(09/06/2022 12:21:49.845:384) : item=0 name=/root/.local/lib/python3.10/site-packages inode=834955 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:gconf_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/06/2022 12:21:49.845:384) : cwd=/ 
type=SYSCALL msg=audit(09/06/2022 12:21:49.845:384) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f826ff9c5a0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2032 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=blueman-mechani exe=/usr/bin/python3.10 subj=system_u:system_r:blueman_t:s0 key=(null) 
type=AVC msg=audit(09/06/2022 12:21:49.845:384) : avc:  denied  { read } for  pid=2032 comm=blueman-mechani name=site-packages dev="vda2" ino=834955 scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=1 
----

# sesearch -s blueman_t -t gconf_home_t -c dir -A --dontaudit
allow blueman_t gconf_home_t:dir { getattr open search };
dontaudit application_domain_type non_security_file_type:dir { getattr open search };
#

Comment 7 Fedora Update System 2022-09-14 16:32:50 UTC
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

Comment 8 Fedora Update System 2022-09-15 02:21:20 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-09-22 01:17:11 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Naadir Jeewa 2022-11-14 17:50:41 UTC
I'm closing this out. Blueman is pretty old, and i'm not using it for a while since Gnome's BT support is complete enough.

Should probably consider removal longterm.

Comment 11 Red Hat Bugzilla 2023-09-18 04:28:36 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days


Note You need to log in before you can comment on or make changes to this bug.