Bug 1414088

Summary: SELinux is preventing /usr/bin/gdb from write access on the directory /usr/share/glib-2.0/gdb.
Product: Red Hat Enterprise Linux 6 Reporter: Lukas Slebodnik <lslebodn>
Component: glib2Assignee: Colin Walters <walters>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: abrt-devel-list, dwalsh, lvrabec, mgrepl, mhabrnal, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-06 11:53:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2017-01-17 17:30:27 UTC 
SELinux is preventing /usr/bin/gdb from write access on the directory /usr/share/glib-2.0/gdb.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow gdb to have write access on the gdb directory
Then you need to change the label on /usr/share/glib-2.0/gdb
Do
# semanage fcontext -a -t FILE_TYPE '/usr/share/glib-2.0/gdb'
where FILE_TYPE is one of the following: mnt_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, abrt_tmp_t, var_log_t, var_run_t, abrt_var_run_t, abrt_var_log_t, rpm_var_run_t, tmp_t, var_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t.
Then execute:
restorecon -v '/usr/share/glib-2.0/gdb'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that gdb should be allowed write access on the gdb directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/share/glib-2.0/gdb [ dir ]
Source                        gdb  
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          tyan-gt24-11.rhts.eng.bos.redhat.com
Source RPM Packages           gdb-7.2-92.el6.x86_64
Target RPM Packages           glib2-devel-2.28.8-8.el6.x86_64
Policy RPM                    selinux-policy-3.7.19-307.el6.noarch
Selinux Enabled               True 
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tyan-gt24-11.rhts.eng.bos.redhat.com
Platform                      Linux tyan-gt24-11.rhts.eng.bos.redhat.com
                              2.6.32-682.el6.x86_64 #1 SMP Tue Jan 10 00:46:37
                              EST 2017 x86_64 x86_64
Alert Count                   2
First Seen                    Tue Jan 17 12:23:21 2017
Last Seen                     Tue Jan 17 12:23:41 2017
Local ID                      da9a585b-8d21-40d8-aeb9-52650122ed6e

Raw Audit Messages
type=AVC msg=audit(1484673821.920:856): avc:  denied  { write } for  pid=2326 comm="gdb" name="gdb" dev=dm-0 ino=5987 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir


type=SYSCALL msg=audit(1484673821.920:856): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffd4afb73b0 a1=2c1 a2=81a4 a3=30c9ba5560 items=0 ppid=2325 pid=2326 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=127 comm=gdb exe=/usr/bin/gdb subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: gdb,abrt_t,usr_t,dir,write   

audit2allow

#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# mnt_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, abrt_tmp_t, var_log_t, var_run_t, abrt_var_run_t, abrt_var_log_t, rpm_var_run_t, tmp_t, var_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t

allow abrt_t usr_t:dir write;

audit2allow -R

#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# mnt_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, abrt_tmp_t, var_log_t, var_run_t, abrt_var_run_t, abrt_var_log_t, rpm_var_run_t, tmp_t, var_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t

allow abrt_t usr_t:dir write;
Comment 1 Lukas Slebodnik 2017-01-17 17:35:53 UTC 
My saw such AVCs in few of my beaker test runs. But I was able to reproduce it even later. My reproducer was quite simple.

I simulate a crash sending SEGV to two sssd processes (with ew seconds dealy). The 1st time it worked; abrt catured the chrash. But I was AVCs for the second SEGV signal.
Comment 4 Lukas Slebodnik 2017-01-17 17:40:07 UTC 
Moving to abrt team; maybe they will know the reason.
Comment 9 Matej Habrnal 2017-01-20 15:40:02 UTC 
There is a similar problem in bugzilla [1].

It looks like python wants to compile python scripts in /usr/share/glib-2.0/gdb because the files are missing in glib2-devel package and it's not able to do that because of selinux.

$ rpm -ql glib2-devel | grep .py
/usr/share/gdb/auto-load/lib64/libglib-2.0.so.0.2800.8-gdb.py
/usr/share/gdb/auto-load/lib64/libglib-2.0.so.0.2800.8-gdb.pyc
/usr/share/gdb/auto-load/lib64/libglib-2.0.so.0.2800.8-gdb.pyo
/usr/share/gdb/auto-load/lib64/libgobject-2.0.so.0.2800.8-gdb.py
/usr/share/gdb/auto-load/lib64/libgobject-2.0.so.0.2800.8-gdb.pyc
/usr/share/gdb/auto-load/lib64/libgobject-2.0.so.0.2800.8-gdb.pyo
/usr/share/glib-2.0/gdb/glib.py
/usr/share/glib-2.0/gdb/gobject.py

Adding *.pyc and *.pyo files into the package should resolve the issue.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1222288
Comment 12 Jan Kurik 2017-12-06 11:53:32 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/