Bug 1300334

Summary: SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.
Product: [Fedora] Fedora Reporter: P. A. López-Valencia <palopezv>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 24CC: decathorpe, dominick.grift, dwalsh, flast, jfrieben, jsmith.fedora, lvrabec, mgrepl, plautrba, pschindl, sgallagh, vondruch
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Other   
Whiteboard: abrt_hash:ada9ddb78617a6e6e2e35b6a1db665420e51e6e3d871d2aa78e904e045601d33;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-170.fc24 selinux-policy-3.13.1-179.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-23 16:57:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description P. A. López-Valencia 2016-01-20 13:41:46 UTC 
Description of problem:
SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, abrt-hook-ccpp debería permitir acceso getattr sobre  file file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:nsfs_t:s0
Target Objects                file [ file ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-167.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc0.git1.1.fc24.x86_64 #1
                              SMP Tue Jan 12 20:40:44 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-01-20 07:36:44 COT
Last Seen                     2016-01-20 08:39:15 COT
Local ID                      c092c1fb-efc3-4318-a81e-1b452f10c70e

Raw Audit Messages
type=AVC msg=audit(1453297155.259:630): avc:  denied  { getattr } for  pid=3257 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1


Hash: abrt-hook-ccpp,abrt_dump_oops_t,nsfs_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-167.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git1.1.fc24.x86_64
type:           libreport
Comment 1 P. A. López-Valencia 2016-01-20 13:47:07 UTC 
It also happens in targeted mode, but at least I can report it now.
Comment 2 Jared Smith 2016-01-20 13:51:25 UTC 
Description of problem:
Rebooted my machine, and saw the alert.

Version-Release number of selected component:
selinux-policy-3.13.1-167.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git1.1.fc24.x86_64
type:           libreport
Comment 3 Miroslav Grepl 2016-01-21 08:21:43 UTC 
We added NSFS support which causes this issue.
Comment 4 Lukas Vrabec 2016-01-21 16:01:39 UTC 
Hi, 
Could you do following: 
1. #semanage permissive -a abrt_dump_oops_t
2. reproduce issue
3. ausearch -m AVC -ts recent 
4. attach AVC msgs
5. #semanage permissive -d abrt_dump_oops_t


Thank you.
Comment 5 P. A. López-Valencia 2016-01-21 19:23:24 UTC 
I saw your message after upgrading to selinux-policy-3.13.1-168.fc24...

The error has repeated itself once and it's as follows:

----
time->Thu Jan 21 13:08:28 2016
type=AVC msg=audit(1453399708.072:589): avc:  denied  { getattr } for  pid=2244 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
----
Comment 6 P. A. López-Valencia 2016-01-23 18:04:23 UTC 
Description of problem:
Happened when installing the rpmfusion free repo rpm through firefox and packagekit.

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git8.1.fc24.x86_64
type:           libreport
Comment 7 Petr Schindler 2016-02-02 07:11:37 UTC 
Description of problem:
This happened right after I logged into the desktop with my user.

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc1.git0.1.fc24.x86_64
type:           libreport
Comment 8 Lukas Vrabec 2016-02-08 13:30:21 UTC 
commit 1ccf8374b4f6fc85445abb8a048f23d24664d467
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 8 14:29:34 2016 +0100

    Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
Comment 9 Jan Kurik 2016-02-24 15:48:23 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 10 Fedora Update System 2016-03-11 09:56:37 UTC 
selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 11 Fedora Update System 2016-03-11 19:26:16 UTC 
selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 12 Fedora Update System 2016-03-16 13:42:56 UTC 
selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 13 Fedora Update System 2016-03-18 14:59:06 UTC 
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 14 Fedora Update System 2016-03-23 16:55:12 UTC 
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.