Bug 1276305

Summary:	SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.
Product:	[Fedora] Fedora	Reporter:	Miroslav Grepl <mgrepl>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	high
Version:	23	CC:	7kaifi, adam, amidius.1992, amit.shah, anass.1430, andredelao, angiolucci, as.maps, autarch, awilliam, azzow.sy, brian.murrell, bugiardolr, bugzilla, bugzilla, bztdlinux, chmelarz, chujingbin, crosbytr, decathorpe, deesto, dinimito2, dominick.grift, dwalsh, edosurina, elitedeciel, emashukoff, extras-qa, fakhri.satu, fedora, geezuslucifer, gerard.fernandes, jamescape777, japan, jax6, jberan, jc, jfrieben, jlbosch, jones.peter.busi, jorti, jsmith.fedora, jtfas90, juliux.pigface, jwakely, lantw44, linuxkali.25, lvrabec, marcel, marco.guazzone, marco.kunzli, martincigorraga, mgrepl, michael, michaeltroy9001, mikhail.v.gavrilov, miras199002, mjs, mkluge.04, mspaulding06, nalimilan, nexfwall, nikola.p-k, oliver, olivier.reyes.r, peljasz, philippe.darocha, plautrba, rajesh, rehol3, req1348, robin.bowes, rocksynth, rupatel, sgallagh, shenada, silvio.a.palmieri, soaperish, sobolewski.marcin, stevenschlansker, sylvain.julmy, tcfxfzoi, thomastognolo, tomspur, urkipattan, vidhan1995.jain, vikigoyal, vrutkovs, yajo.sk8
Target Milestone:	---	Keywords:	CommonBugs, Reopened
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:e6d10fcd6f18e995dfe405a4aefb445f20ab0971bcc32b9d72dad9e065f8049f https://fedoraproject.org/wiki/Common_F23_bugs#selinux-abrt-sigchld
Fixed In Version:	selinux-policy-3.13.1-154.fc23	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1245477	Environment:
Last Closed:	2016-12-20 15:13:44 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1245477, 1276931
Bug Blocks:	1254188

Description Miroslav Grepl 2015-10-29 11:56:15 UTC

+++ This bug was initially created as a clone of Bug #1245477 +++

Description of problem:
SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que abrt-hook-ccpp devrait être autorisé à accéder sigchld sur les processus étiquetés kernel_t par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ process ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.6.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.8-300.fc22.x86_64 #1 SMP Fri
                              Jul 10 21:04:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-07-22 09:21:44 CEST
Last Seen                     2015-07-22 09:21:44 CEST
Local ID                      d1a0744e-253d-4c1d-8daf-956f26b68141

Raw Audit Messages
type=AVC msg=audit(1437549704.396:995): avc:  denied  { sigchld } for  pid=18368 comm="abrt-hook-ccpp" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0


Hash: abrt-hook-ccpp,xdm_t,kernel_t,process,sigchld

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

Potential duplicate: bug 1242467

--- Additional comment from Johannes on 2015-07-26 12:13:58 EDT ---

Description of problem:
Fingerprint to access sudo

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

--- Additional comment from Jason Taylor on 2015-07-27 21:18:31 EDT ---

Description of problem:
installed all updates as of Monday, July 27th. After the updates started receiving this selinux issue.

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-07-30 19:50:54 EDT ---

Description of problem:
gnome-shell crashed on a monitor attach event, then abrt crashed while processing that crash

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.2-200.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-08-04 19:50:47 EDT ---

Description of problem:
This often happens during the normal use of Firefox in Fedora 22.  No particular actions.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-200.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-08-05 06:28:22 EDT ---

Jakub,
what was our solution here?

--- Additional comment from Jakub Filak on 2015-08-05 06:51:13 EDT ---

(In reply to Miroslav Grepl from comment #5)
> Jakub,
> what was our solution here?

/usr/libexec/abrt-hook-ccpp is a core dumper used in /proc/sys/kernel/core_pattern.

Strating with abrt-2.6.1, abrt-hook-ccpp tries to ptrace(PTRACE_SEIZE, ..., PTRACE_O_TRACEEXIT) the process that is being dumped by kernel. It does that because we want to generate the crash backtrace before kernel unloads the process's memory. After we call ptrace() we have to waitpid() and check whether the ptrace action was successful.

If you want to trigger this functionality, just kill something with SIGABRT or run /usr/bin/will_segfault.

We did not notice any AVC when we were testing this feature.

--- Additional comment from Miroslav Grepl on 2015-08-05 10:13:58 EDT ---

Should we label it as abrt_helper_exec_t?

# chcon -t abrt_helper_exec_t /usr/libexec/abrt-hook-ccpp

--- Additional comment from H.W. on 2015-08-06 13:22:31 EDT ---

Description of problem:
Fedora Workstation 22 (x86-64) is installed as Guest in VMWare Workstation 10.0.7 (Hostsystem is Win 8.1 Enterprise, x86-64). I installed updates ("su" with pwd) with "dnf updates" in a terminal session. I get a SELinux Alert before the updates are complete finished.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-08-06 21:50:41 EDT ---

Description of problem:
installed a new copy of F22, all upgraded, no other appication installed other that gnome tweak tool.

Constantly comes up, and eventually crashed.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from H.W. on 2015-08-08 06:09:04 EDT ---

Description of problem:
Fedora 22 (x64) works as guest in a VMWare Workstation v10.0.7. Installed as "su" Adobe Flash Plugin in a terminal session with "dnf install adobe-release-x86_64-1.0-1.noarch.rpm" then "dnf install flash-plugin". After i close the terminal session with "exit" (su) and another "exit" (for the terminal session) i checked the installation in Firefox and closed the browser. Then i get a SELinux Alert and i am logged out.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-08-15 06:23:14 EDT ---



--- Additional comment from Miroslav Grepl on 2015-08-15 07:26:57 EDT ---

(In reply to Miroslav Grepl from comment #7)
> Should we label it as abrt_helper_exec_t?
> 
> # chcon -t abrt_helper_exec_t /usr/libexec/abrt-hook-ccpp

Ok we probably need to add another ABRT domain - either abrt_dump_oops_t or a new one. The point is this new domain will need to ptrace random domains and will require sigchld.

--- Additional comment from Miroslav Grepl on 2015-08-15 11:51:55 EDT ---



--- Additional comment from Miroslav Grepl on 2015-08-15 11:54:30 EDT ---

Lukas,
it works with

$ cat myabrt.cil

(block abrt_dump_oops_t)
(block kernel_t)

(in kernel_t
    (optional kernel_optional_abrt
    (call domtrans_pattern (kernel_t abrt_dump_oops_exec_t abrt_dump_oops_t))))

(in abrt_dump_oops_t
    (allow abrt_dump_oops_t self (capability (kill net_admin sys_ptrace)))
    (allow abrt_dump_oops_t proc_security_t (file (getattr read open)))
    (call domain_ptrace_all_domains (abrt_dump_oops_t))
    (call domain_read_all_domains_state (abrt_dump_oops_t))
    (call domain_signull_all_domains (abrt_dump_oops_t)))

--- Additional comment from Martín Cigorraga on 2015-08-18 09:38:14 EDT ---

Description of problem:
I saw this alert after waking the system from suspension.

Version-Release number of selected component:
selinux-policy-3.13.1-128.10.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.5-200.fc22.x86_64
type:           libreport

--- Additional comment from Martín Cigorraga on 2015-08-18 18:57:10 EDT ---

Description of problem:
Woke the system from suspend, there was an alert notice on the GDM lock screen regarding Abrt.
After pressing ESC to lift the lock screen BAM! GDM or X crashed and then restarted -- of course losing my currently running session :'(

Nonetheless, thanks everyone for putting everything together to make F22 a great distro.

Version-Release number of selected component:
selinux-policy-3.13.1-128.10.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.5-200.fc22.x86_64
type:           libreport

--- Additional comment from Lukas Vrabec on 2015-08-19 04:16:44 EDT ---

commit ca95767f8e2db2296343db21b47852b820a8bb24
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 18:00:41 2015 +0200

    Allow abrt_dump_oops_t to read proc_security_t files.

commit a7ca01f148f78355a0795c14570890c112410e0c
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 17:55:18 2015 +0200

    Allow abrt_dump_oops to signull all domains
    Allow abrt_dump_oops to read all domains state
    Allow abrt_dump_oops to ptrace all domains

commit 7c68bff8cd0381677e3953c7c9eeb4d6f1dac729
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 17:54:57 2015 +0200

    Add interface abrt_dump_oops_domtrans()

commit 9c122650fa1ef973594fcbc6d4c9dff967b9cfa6
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 17:57:21 2015 +0200

    Allow kernel_t domtrans to abrt_dump_oops_t

--- Additional comment from Martín Cigorraga on 2015-08-20 23:29:15 EDT ---

Description of problem:
Woke up the system and found the alert on the lock screen :'(

Version-Release number of selected component:
selinux-policy-3.13.1-128.10.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.5-200.fc22.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2015-08-24 07:45:50 EDT ---

selinux-policy-3.13.1-128.12.fc22 has been submitted as an update to Fedora 22. https://bugzilla.redhat.com/show_bug.cgi?id=1245477

--- Additional comment from Milan Bouchet-Valat on 2015-08-24 09:49:32 EDT ---



--- Additional comment from Fedora Update System on 2015-08-24 17:54:33 EDT ---

selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14076

--- Additional comment from Ting-Wei Lan on 2015-08-26 05:54:21 EDT ---

Description of problem:
fprintd.service segfault

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.5-200.fc22.x86_64
type:           libreport

--- Additional comment from Ting-Wei Lan on 2015-08-26 06:20:49 EDT ---

This happens when I login to the system or unlock the screen. selinux-policy from updates-testing is already installed.

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ process ]
Source                        abrt-hook-ccpp
Source Path                   /usr/libexec/abrt-hook-ccpp
Port                          <Unknown>
Host                          wnn
Source RPM Packages           abrt-addon-coredump-helper-2.6.1-2.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.12.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     wnn
Platform                      Linux wnn 4.1.5-200.fc22.x86_64 #1 SMP Mon Aug 10
                              23:38:23 UTC 2015 x86_64 x86_64
Alert Count                   12
First Seen                    2015-08-25 17:58:36 CST
Last Seen                     2015-08-26 17:52:06 CST
Local ID                      a9bbcde8-08bd-4a19-89fb-30853a73cb1a

Raw Audit Messages
type=AVC msg=audit(1440582726.335:26278): avc:  denied  { sigchld } for  pid=9849 comm="abrt-hook-ccpp" scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0


type=SYSCALL msg=audit(1440582726.335:26278): arch=x86_64 syscall=wait4 success=no exit=EACCES a0=2405 a1=7fff77148d7c a2=0 a3=0 items=0 ppid=31635 pid=9849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:kernel_t:s0 key=(null)

Hash: abrt-hook-ccpp,fprintd_t,kernel_t,process,sigchld

--- Additional comment from  on 2015-08-26 15:31:26 EDT ---

Description of problem:
no idea...it appeard when I unlocked my PC

Version-Release number of selected component:
selinux-policy-3.13.1-128.10.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.5-200.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-08-27 13:21:45 EDT ---



--- Additional comment from Fedora Update System on 2015-08-27 14:23:23 EDT ---

selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Robin Bowes on 2015-08-28 09:48:47 EDT ---

Description of problem:
Tried to connect to a running docker container using docker exce -ti <hash>

Was unable to because of SELinux error

Works OK in permissive mode

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-200.fc22.x86_64
type:           libreport

--- Additional comment from Ting-Wei Lan on 2015-09-03 22:28:27 EDT ---

Description of problem:
unlock screen and fprintd segfault

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-200.fc22.x86_64
type:           libreport

--- Additional comment from Milan Bouchet-Valat on 2015-09-04 03:23:28 EDT ---

I'm reopening as (as others above) I've just seen this again with selinux-policy 3.13.1-128.12.fc22.

See the attached log:
sept. 04 08:58:24 milan abrt-hook-ccpp[13793]: Failed to create core_backtrace: waitpid failed: Permission denied

A possible explanation is that it looks like systemd-journald crashed, as can be seen from this line:
sept. 04 09:00:34 milan abrt-server[13832]: Deleting problem directory ccpp-2015-09-04-08:58:15-423 (dup of ccpp-2015-06-28-17:43:01-403)
The latter problem directory is about systemd-journald. Maybe some processes require more permissions than others?

--- Additional comment from 褚敬彬 on 2015-09-10 03:38:34 EDT ---

Description of problem:
i really dont know~

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-200.fc22.x86_64
type:           libreport

--- Additional comment from deesto on 2015-09-18 07:38:21 EDT ---

Description of problem:
Nothing -- logged into system.

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-201.fc22.x86_64
type:           libreport

--- Additional comment from Orion Poplawski on 2015-09-21 13:58:27 EDT ---



--- Additional comment from Ahmad Kaifi on 2015-10-01 05:04:31 EDT ---

Description of problem:
I received this bug with SELinux?!

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-200.fc22.x86_64
type:           libreport

--- Additional comment from Frank Büttner on 2015-10-01 08:32:51 EDT ---

At my system this was happened by  call: "setenforce 0"

--- Additional comment from  on 2015-10-03 06:22:04 EDT ---

Description of problem:
Boot and login

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-200.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-10-05 02:45:15 EDT ---



--- Additional comment from Miroslav Grepl on 2015-10-05 02:45:20 EDT ---



--- Additional comment from Miroslav Grepl on 2015-10-05 02:58:20 EDT ---

https://github.com/fedora-selinux/selinux-policy/commit/1254e2a8db77e3e6b22a0c9a3f188bb7d2a394f1

--- Additional comment from Florian Heiser on 2015-10-07 15:57:46 EDT ---

Description of problem:
It just happened. I don't know what triggered it.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.8-200.fc22.x86_64
type:           libreport

--- Additional comment from Andreas Schöneck on 2015-10-08 02:18:45 EDT ---

Description of problem:
dnf upgrade with these packages updated in the end:

  curl.x86_64 7.45.0-1.0.cf.fc22                        google-chrome-beta.x86_64 46.0.2490.64-1             libcurl.x86_64 7.45.0-1.0.cf.fc22                  
  libcurl-devel.x86_64 7.45.0-1.0.cf.fc22               libnm-gtk.x86_64 1.0.6-3.fc22                        libteam.x86_64 1.21-1.fc22                         
  nm-connection-editor.x86_64 1.0.6-3.fc22              orca.noarch 3.16.3-1.fc22                            perl-namespace-clean.noarch 0.26-1.fc22            
  python-beautifulsoup4.noarch 4.4.1-1.fc22             teamd.x86_64 1.21-1.fc22                            


Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.8-200.fc22.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2015-10-09 10:16:40 EDT ---

selinux-policy-3.13.1-128.18.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690

--- Additional comment from Dmitry Kireev on 2015-10-09 10:23:08 EDT ---

Description of problem:

I installed the application from the site https://extensions.gnome.org/ kaffein


SELinux is preventing abrt-hook-ccpp from using the sigchld access on a process.

Module: catchall
you want to allow abrt-hook-ccpp to have sigchld access on the Unknown processEsli you think abrt-hook-ccpp sigchld should allow access to the processes of the type kernel_t default.
It is recommended to create a bug report.
To allow access, you can create a local policy module.
To allow access, run:
# Grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# Semodule -i mypol.pp

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.10-200.fc22.x86_64
type:           libreport

--- Additional comment from Lukas Vrabec on 2015-10-09 10:52:44 EDT ---

Dmitry, 
Please check version of selinux-policy package. We fixed this in selinux-policy-3.13.1-128.18.fc22 and you using selinux-policy-3.13.1-128.16.fc22.noarch.

--- Additional comment from Dmitry Kireev on 2015-10-09 11:39:00 EDT ---

Thank you. You were right I was a version of selinux-policy-3.13.1-128.16.fc22.noarh, updated to selinux-policy-3.13.1-128.18.fc22. Thank you very much!

--- Additional comment from Fedora Update System on 2015-10-09 19:22:09 EDT ---

selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-946cd8d690

--- Additional comment from Ting-Wei Lan on 2015-10-10 03:58:55 EDT ---

I applied the update, but I still see a (different) SELinux warning. The update fixed the original issue but created another issue. This happens when I log in and fprintd segfault.


SELinux is preventing /usr/libexec/abrt-hook-ccpp from getattr access on the file /usr/libexec/fprintd.

*****  Plugin catchall (100. confidence) suggests   **************************

If 您認為 abrt-hook-ccpp 就預設值應擁有 fprintd file 的 getattr 存取權。
Then 您應將此回報為錯誤。
您可產生本機模組，以允許這項存取。
Do
現在透過執行以下指令來允許此存取：
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:fprintd_exec_t:s0
Target Objects                /usr/libexec/fprintd [ file ]
Source                        abrt-hook-ccpp
Source Path                   /usr/libexec/abrt-hook-ccpp
Port                          <Unknown>
Host                          <hostname>
Source RPM Packages           abrt-addon-coredump-helper-2.6.1-5.fc22.x86_64
Target RPM Packages           fprintd-0.6.0-1.fc22.x86_64
Policy RPM                    selinux-policy-3.13.1-128.18.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     wnn
Platform                      Linux <hostname> 4.1.10-200.fc22.x86_64 #1 SMP 
                              Mon Oct 5 14:22:49 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-10 15:49:05 CST
Last Seen                     2015-10-10 15:49:05 CST
Local ID                      e6771c52-2912-4f4f-a4fb-7bc0ffd7b208

Raw Audit Messages
type=AVC msg=audit(1444463345.425:294): avc:  denied  { getattr } for  pid=3790 comm="abrt-hook-ccpp" path="/usr/libexec/fprintd" dev="sda2" ino=1233627 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:fprintd_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1444463345.425:294): arch=x86_64 syscall=stat success=no exit=EACCES a0=55990a7b9be0 a1=7ffe377e2b70 a2=7ffe377e2b70 a3=7aa items=0 ppid=113 pid=3790 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)

Hash: abrt-hook-ccpp,abrt_dump_oops_t,fprintd_exec_t,file,getattr


Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

--- Additional comment from Andrew Cook on 2015-10-10 08:11:53 EDT ---

Description of problem:
I think qemu crashed? there's no entry in dmesg but it did disappear.

Something else has been trigering this on my machine.

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-201.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-10-12 13:23:41 EDT ---



--- Additional comment from Yajo on 2015-10-14 16:07:53 EDT ---

Description of problem:
This seems to happen on every boot.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.10-200.fc22.x86_64
type:           libreport

--- Additional comment from Michal Nowak on 2015-10-15 02:12:29 EDT ---

Description of problem:
Started a VM in Boxes.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.8-200.fc22.x86_64
type:           libreport

--- Additional comment from Christian Stadelmann on 2015-10-19 15:48:19 EDT ---

Description of problem:
Abrt is unable to run on some backtrace due to an AVC denial.

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport

--- Additional comment from Michal Nowak on 2015-10-20 09:10:40 EDT ---

Description of problem:
Started VM in Boxes.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport

--- Additional comment from Michael Reiger on 2015-10-20 13:16:21 EDT ---

Description of problem:
I tried to switch users from the top-right menu. There was only one user logged in at the time; on console 2. (Console 1 being taken up by GDM.)
GDM should have appeared, allowing me to login as a different user; however there was only a blank screen.

Upon switch back to the logged in user with Ctr-Alt-F2 I noticed the SElinux notification attached.

This has - to my knowledge - occured at least once before I reported this now; I switch users semi-regularly, normally there is no problem with this.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.10-200.fc22.x86_64
type:           libreport

--- Additional comment from awilliam on 2015-10-21 19:50:32 EDT ---

Description of problem:
Happens after installing Fedora 23 Final RC2 Workstation x86_64 live in a KVM, running through g-i-s to create a user, and logging in. It's in sealert as soon as you can run it, so not sure exactly when it happens.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

--- Additional comment from RyanEatsFish on 2015-10-25 21:19:47 EDT ---

Description of problem:
Printing Amazon Return from Chrome.

Clicked on Print Label & Return Button <javascript:window.print()>

Using the printer driver from Brother for a MFC-9970CDW

This error happens when printing from Web browsers often (probably b/c of the javascript call?) but not in other progams/with other docs...

Hope that helps!


Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-200.fc22.x86_64
type:           libreport

--- Additional comment from Roger Baran on 2015-10-26 16:02:33 EDT ---

Description of problem:
Sorry, but I am really not sure.
I was just working along and it popped up.
At the moment I got the alreat I was reading an epub in Atril Document Viewer 1.10.2

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport

--- Additional comment from lejeczek on 2015-10-27 15:20:08 EDT ---

Description of problem:
not really sure what happen, just in case sending this report I am.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

--- Additional comment from Fedora Update System on 2015-10-28 12:25:38 EDT ---

selinux-policy-3.13.1-128.18.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Christian Stadelmann on 2015-10-28 14:06:31 EDT ---

This issue is not resolved with updating selinux-policy to selinux-policy-3.13.1-128.18.fc22. Please reopen.

--- Additional comment from Majid on 2015-10-29 03:50:33 EDT ---

Description of problem:
I'm working on my fedora, chrome browser, sublime text editor, Document Viewer,  DB Browser for Sqlite is opening then locked my fedora. I cann't do nothing just move mouse pointer.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport

--- Additional comment from Heiko Adams on 2015-10-29 06:50:47 EDT ---

This problem still exists on Fedora 23 with all available updates applied.

--- Additional comment from Miroslav Grepl on 2015-10-29 07:55:19 EDT ---

(In reply to Heiko Adams from comment #61)
> This problem still exists on Fedora 23 with all available updates applied.

Yes, there a problem with this. I created a new issue 

https://github.com/fedora-selinux/selinux-policy/issues/59

Comment 1 Miroslav Grepl 2015-10-29 11:57:37 UTC

https://github.com/fedora-selinux/selinux-policy/issues/59

Comment 2 Miroslav Grepl 2015-11-02 11:47:23 UTC

*** Bug 1276342 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2015-11-02 11:47:40 UTC

*** Bug 1277055 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2015-11-02 11:49:08 UTC

*** Bug 1276179 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2015-11-02 11:49:13 UTC

*** Bug 1276180 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2015-11-08 09:29:42 UTC

*** Bug 1279044 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2015-11-08 09:29:47 UTC

*** Bug 1279084 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2015-11-08 09:29:54 UTC

*** Bug 1279050 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2015-11-08 09:30:03 UTC

*** Bug 1278748 has been marked as a duplicate of this bug. ***

Comment 10 Miroslav Grepl 2015-11-08 09:30:29 UTC

*** Bug 1278513 has been marked as a duplicate of this bug. ***

Comment 11 Miroslav Grepl 2015-11-08 09:30:46 UTC

*** Bug 1274741 has been marked as a duplicate of this bug. ***

Comment 12 Miroslav Grepl 2015-11-08 09:30:58 UTC

*** Bug 1274971 has been marked as a duplicate of this bug. ***

Comment 13 Miroslav Grepl 2015-11-08 09:31:05 UTC

*** Bug 1275366 has been marked as a duplicate of this bug. ***

Comment 14 Miroslav Grepl 2015-11-08 09:32:08 UTC

*** Bug 1277684 has been marked as a duplicate of this bug. ***

Comment 15 Miroslav Grepl 2015-11-08 09:32:14 UTC

*** Bug 1277685 has been marked as a duplicate of this bug. ***

Comment 16 Miroslav Grepl 2015-11-08 09:32:20 UTC

*** Bug 1277686 has been marked as a duplicate of this bug. ***

Comment 17 Miroslav Grepl 2015-11-08 09:32:26 UTC

*** Bug 1277985 has been marked as a duplicate of this bug. ***

Comment 18 Fedora Update System 2015-11-09 15:10:55 UTC

selinux-policy-3.13.1-154.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-6b85d80ba8

Comment 19 Fedora Update System 2015-11-10 03:22:02 UTC

selinux-policy-3.13.1-154.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-6b85d80ba8

Comment 20 Miroslav Grepl 2015-11-11 08:50:51 UTC

*** Bug 1275801 has been marked as a duplicate of this bug. ***

Comment 21 Jakub Filak 2015-11-12 15:48:40 UTC

User coredumps are still not working:
https://bugzilla.redhat.com/show_bug.cgi?id=1276931#c11
https://github.com/abrt/abrt/blob/master/tests/runtests/ccpp-plugin-selinux/runtest.sh

----
time->Thu Nov 12 16:37:44 2015
type=AVC msg=audit(1447342664.692:674): avc:  denied  { getattr } for  pid=7122 comm="abrt-hook-ccpp" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1

? https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L195

----
time->Thu Nov 12 16:37:44 2015
type=AVC msg=audit(1447342664.693:675): avc:  denied  { setgid } for  pid=7122 comm="abrt-hook-ccpp" capability=6  scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=capability permissive=1

https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L329

----
time->Thu Nov 12 16:37:44 2015
type=AVC msg=audit(1447342664.693:676): avc:  denied  { setuid } for  pid=7122 comm="abrt-hook-ccpp" capability=7  scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=capability permissive=1

https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L328

----
time->Thu Nov 12 16:37:44 2015
type=AVC msg=audit(1447342664.693:677): avc:  denied  { create } for  pid=7122 comm="abrt-hook-ccpp" name="core.7121" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L337

Comment 22 Fedora Update System 2015-11-13 22:52:49 UTC

selinux-policy-3.13.1-154.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Jonathan Wakely 2015-11-14 16:36:55 UTC

This is a regression in F22 as well, why isn't it being fixed in F22?

Comment 24 Jonathan Wakely 2015-11-14 16:38:27 UTC

Oh sorry, I missed that this is a clone of the F22 report, I'm CC'd on the wrong one!

Comment 25 Matthew Saltzman 2015-12-13 01:26:32 UTC

Description of problem:
Presumably happened trying to report a bug, possibly with incorrect Bugzilla password.

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport

Comment 26 michaeltroy9001 2016-01-22 04:18:09 UTC

Description of problem:
I turn on my gateway all in one desktop, login to the admin account (only account on the system) connect to a wireless router and in a few minutes the bug appears.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

Comment 27 Marcin Sobolewski 2016-02-11 21:23:14 UTC

Description of problem:
Error popped up half a minute / few minutes after Plague inc. crashed (game I have recently installed through Steam). The game itself crashes shortly after launching, however, I think this error is triggered by SELinux Troubleshooter failing to generate a report after that game crash.

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.4-300.fc23.x86_64
type:           libreport

Comment 28 rocksynth 2016-02-13 05:21:42 UTC

Description of problem:
As soon as I installed Fedora 23 Workstation this notification popped up. I hadn't installed any other software at this point.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

Comment 29 Fakhruddin Ahmad Darwis 2016-05-05 01:34:19 UTC

Description of problem:
Open Firefox.
Go to extensions.gnome.org.
Allow the site to install extensions.
Select an extension and turn it on.
Choose install when a dialog appears.
Then the SELinux troubleshooter will give an alert.

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-300.fc23.x86_64
type:           libreport

Comment 30 Brian J. Murrell 2016-06-14 14:32:17 UTC

Description of problem:
Not sure why this happened

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.6-200.fc23.x86_64
type:           libreport

Comment 31 Brian J. Murrell 2016-06-14 14:35:09 UTC

(In reply to Fedora Update System from comment #22)
> selinux-policy-3.13.1-154.fc23 has been pushed to the Fedora 23 stable
> repository. If problems still persist, please make note of it in this bug
> report.

Note that in comment #30 I have selinux-policy-3.13.1-158.fc23 which would include selinux-policy-3.13.1-154.fc23 and still seeing this problem.

Comment 32 Ricardo Ramos 2016-06-30 03:21:54 UTC

Description of problem:
I was trying to open an appimage file called MuseScore but it crashes.

Version-Release number of selected component:
selinux-policy-3.13.1-158.15.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.7-200.fc23.i686
type:           libreport

Comment 33 Fedora Admin XMLRPC Client 2016-09-27 14:54:37 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 34 Fedora End Of Life 2016-11-24 12:57:50 UTC

This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 35 Fedora End Of Life 2016-12-20 15:13:44 UTC

Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.