Bug 1032629

Summary: sosreport started from abrtd produces plenty of AVCs
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Filak <jfilak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: eblake, jberan, ljozsa, lkardos, mmalik
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-110.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:50:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 782468, 1032585    
Attachments:
Description Flags
The list of all AVCs none

Description Jakub Filak 2013-11-20 13:54:13 UTC 
Created attachment 826657 [details]
The list of all AVCs

Description of problem:
Upon a detected crash abrtd service runs sosreport and it produces plenty of AVCs.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-102.el7
Comment 2 Miroslav Grepl 2013-11-20 14:28:23 UTC 
I added fixes.
Comment 9 Miroslav Grepl 2013-11-25 10:04:57 UTC 
Ok so we have


allow sosreport_t init_t:system status;
allow sosreport_t init_t:unix_stream_socket connectto;
allow sosreport_t init_var_run_t:sock_file write;


These are access check.
allow sosreport_t lvm_lock_t:dir write;


allow sosreport_t rpm_t:dbus send_msg;
allow sosreport_t self:process signal;
allow sosreport_t setroubleshootd_t:process signull;
Comment 10 Miroslav Grepl 2013-11-25 10:30:43 UTC 
I added fixes.
Comment 11 Miroslav Grepl 2013-12-03 09:40:55 UTC 
*** Bug 1037460 has been marked as a duplicate of this bug. ***
Comment 18 Miroslav Grepl 2013-12-06 08:55:55 UTC 
*** Bug 1038877 has been marked as a duplicate of this bug. ***
Comment 19 Miroslav Grepl 2013-12-06 10:15:07 UTC 
commit dcbfc643807c5d1c24271de29f33c3ff93d614df
Author: Miroslav Grepl <mgrepl>
Date:   Fri Dec 6 11:13:43 2013 +0100

    Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
Comment 21 Miroslav Grepl 2013-12-10 15:04:31 UTC 
commit 210346ac2995da8794234fbb39e5677cb1861120
Author: Miroslav Grepl <mgrepl>
Date:   Tue Dec 10 16:03:44 2013 +0100

    Fix rpm_named_filetrans_log_files() interface

diff --git a/rpm.if b/rpm.if
index 0c8576e..064712b 100644
--- a/rpm.if
+++ b/rpm.if
@@ -391,7 +391,7 @@ interface(`rpm_named_filetrans_log_files',`
                type rpm_log_t;
        ')
     logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
-    logging_log_named_filetrans($1, rpm_log_t, file, "upd2date")
+    logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
 ')
Comment 23 Ludek Smid 2014-06-13 12:50:46 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.