Bug 1278188

Summary: SELinux is preventing gdb from 'add_name' accesses on the directory __pycache__.
Product: [Fedora] Fedora Reporter: Christian Stadelmann <fedora>
Component: abrtAssignee: abrt <abrt-devel-list>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: abrt-devel-list, dominick.grift, dvlasenk, dwalsh, fedora, iprikryl, jfilak, lvrabec, mgrepl, mhabrnal, michal.toman, mmilata, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:acd4ba3e9719f9ddc8d488798cba0f0d2ac6820ebe71993d332e4858eeb1d76f;VARIANT_ID=workstation;
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-13 07:55:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Stadelmann 2015-11-04 21:35:04 UTC
Description of problem:
SELinux is preventing gdb from 'add_name' accesses on the directory __pycache__.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow gdb to have add_name access on the __pycache__ directory
Then sie müssen das Label auf __pycache__ ändern
Do
# semanage fcontext -a -t FILE_TYPE '__pycache__'
wobei FILE_TYPE einer der folgenen Werte ist: abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, mock_var_lib_t, rpm_var_cache_t, rpm_var_run_t, tmp_t, var_log_t, var_run_t, var_spool_t, var_t. 
Führen Sie danach Folgendes aus: 
restorecon -v '__pycache__'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If sie denken, dass es gdb standardmässig erlaubt sein sollte, add_name Zugriff auf __pycache__ directory zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep gdb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                __pycache__ [ dir ]
Source                        gdb
Source Path                   gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-153.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue
                              Oct 27 04:29:56 UTC 2015 x86_64 x86_64
Alert Count                   5
First Seen                    2015-11-04 22:33:36 CET
Last Seen                     2015-11-04 22:33:36 CET
Local ID                      07395993-ef22-4146-9c87-3fd8e8bda95d

Raw Audit Messages
type=AVC msg=audit(1446672816.374:917): avc:  denied  { add_name } for  pid=31647 comm="gdb" name="__pycache__" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0


Hash: gdb,abrt_t,usr_t,dir,add_name

Version-Release number of selected component:
selinux-policy-3.13.1-153.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport

Comment 1 Jakub Filak 2015-11-10 08:05:35 UTC
Thank you for the report! Such AVC usually occurs when gdb auto-loads a gdb python module that does not have byte-complied python files. The most recent AVCs are linked to the move from Python2 to Python3 and are always packaging bugs in the package that owns the loaded python module. In order to fix this bug we have to find where is the "__pycache__" directory located.

Is this bug a duplicate of bug #1204355?

The AVC should disappear once all the loaded python files get cached.

1. Make sure you can reproduce the AVC
2. Go to ABRT problem directory in the /var/spool/abrt/ directory
3. Run "# gdb -c coredump"
4. Try to reproduce the AVC

Comment 2 Miroslav Grepl 2015-11-13 07:55:35 UTC
(In reply to Jakub Filak from comment #1)
> Thank you for the report! Such AVC usually occurs when gdb auto-loads a gdb
> python module that does not have byte-complied python files. The most recent
> AVCs are linked to the move from Python2 to Python3 and are always packaging
> bugs in the package that owns the loaded python module. In order to fix this
> bug we have to find where is the "__pycache__" directory located.

Yes, it is a correct. 

Thank you.

> 
> Is this bug a duplicate of bug #1204355?
> 
> The AVC should disappear once all the loaded python files get cached.
> 
> 1. Make sure you can reproduce the AVC
> 2. Go to ABRT problem directory in the /var/spool/abrt/ directory
> 3. Run "# gdb -c coredump"
> 4. Try to reproduce the AVC

*** This bug has been marked as a duplicate of bug 1204355 ***

Comment 3 Christian Stadelmann 2015-11-14 21:15:21 UTC
Yes, looks like a duplicate of bug #1204355.