Bug 1419980

Summary: SELinux is preventing abrt-dump-journ from 'execute' accesses on the file /usr/bin/lz4.
Product: [Fedora] Fedora Reporter: Michael Catanzaro <mcatanzaro+wrong-account-do-not-cc>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: awilliam, dominick.grift, dwalsh, fzatlouk, gmarr, lvrabec, mgrepl, plautrba, pmoore, ssekidde, stickster
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:e9c843bfab72ba9984288171eeea9ba3a6f2ac2446440556633dcab070d282b1;VARIANT_ID=workstation; AcceptedFreezeException
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-24 17:04:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1349185, 1405995    

Description Michael Catanzaro 2017-02-07 14:45:51 UTC 
Description of problem:
This is a follow-up report to https://bugzilla.redhat.com/show_bug.cgi?id=1341829

After https://bugzilla.redhat.com/show_bug.cgi?id=1341829 has been fixed, system-coredump now works. However,
we need to also ensure that ABRT's coredumpctl integration functions properly. It, too, is broken by SELinux. Test:

# systemctl stop abrt-ccpp.service
# systemctl start abrt-journal-core.service
(Start some app to be killed, say gedit)
# killall gedit

Expected behavior: ABRT fetches the crash report from systemd and presents a crash notification

Actual behavior: This SELinux alert appears
SELinux is preventing abrt-dump-journ from 'execute' accesses on the file /usr/bin/lz4.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-dump-journ should be allowed execute access on the lz4 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-dump-journ' --raw | audit2allow -M my-abrtdumpjourn
# semodule -X 300 -i my-abrtdumpjourn.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/lz4 [ file ]
Source                        abrt-dump-journ
Source Path                   abrt-dump-journ
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           lz4-1.7.5-1.fc25.x86_64
Policy RPM                    selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.9.6-200.fc25.x86_64 #1 SMP Thu
                              Jan 26 10:17:45 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-02-07 08:42:14 CST
Last Seen                     2017-02-07 08:42:14 CST
Local ID                      40fa121b-a2ac-4c47-995a-efb6c1a2f021

Raw Audit Messages
type=AVC msg=audit(1486478534.659:258): avc:  denied  { execute } for  pid=3138 comm="abrt-dump-journ" name="lz4" dev="dm-1" ino=2369212 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Hash: abrt-dump-journ,abrt_dump_oops_t,bin_t,file,execute

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.6-200.fc25.x86_64
type:           libreport

Potential duplicate: bug 1414911
Comment 1 Michael Catanzaro 2017-02-07 14:50:15 UTC 
(In reply to Michael Catanzaro from comment #0)
> # systemctl stop abrt-ccpp.service
> # systemctl start abrt-journal-core.service
> (Start some app to be killed, say gedit)
> # killall gedit

Whooops, I meant to type 'killall -SEGV gedit'
Comment 2 FrantiĊĦek Zatloukal 2017-02-08 15:19:47 UTC 
Description of problem:
Warning raised when I killed gnome-calculator with -SEGV

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.7-201.fc25.x86_64
type:           libreport
Comment 3 Michael Catanzaro 2017-02-22 19:56:09 UTC 
Hi Lukas, will an update be available for this soon?
Comment 4 Michael Catanzaro 2017-02-28 14:13:40 UTC 
(In reply to Michael Catanzaro from comment #3)
> Hi Lukas, will an update be available for this soon?

Hi Lukas, the change deadline for bug #1405995 was today and it is still blocked on this issue. The FESCo change review meeting is on Friday; it would be great to have an update released prior to then.

Note that we identified a solution to this issue via private email on February 8:

# cat abrt_exec_bin.cil
(allow abrt_dump_oops_t bin_t (file (execute)))
(allow abrt_dump_oops_t bin_t (file (execute_no_trans)))
# semodule -i abrt_exec_bin.cil
Comment 5 Fedora Blocker Bugs Application 2017-03-03 21:57:51 UTC 
Proposed as a Freeze Exception for 26-alpha by Fedora user pfrields using the blocker tracking app because:

 This is a simple change to enable an accepted F26 Change. See also https://bugzilla.redhat.com/show_bug.cgi?id=1405995 which this bug blocks. Having this Change is important to the Workstation WG and we'd really like not to slip this for yet another release. I've reached out to the selinux-policy maintainers to ask for quick action here.
Comment 6 Lukas Vrabec 2017-03-03 22:01:35 UTC 
[root@fraw ~]# sesearch -A -s abrt_dump_oops_t -t bin_t -c file -p execute
Found 2 semantic av rules:
   allow abrt_dump_oops_t base_ro_file_type : file { ioctl read getattr lock execute execute_no_trans open } ; 
   allow abrt_dump_oops_t bin_t : file { ioctl read getattr lock execute execute_no_trans open } ; 

[root@fraw ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-241.fc26.noarch


#============= abrt_dump_oops_t ==============

#!!!! This avc is allowed in the current policy
allow abrt_dump_oops_t bin_t:file execute;


This issue is already fixed in F26:
https://koji.fedoraproject.org/koji/buildinfo?buildID=860624
Comment 7 Geoffrey Marr 2017-03-06 18:34:48 UTC 
Discussed during the 2017-03-06 blocker review meeting: [1]

The decision was made to accept this bug as an Alpha Freeze Exception as this prevents a significant accepted Change from working in the Workstation live environment.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-06/f26-blocker-review.2017-03-06-17.02.txt
Comment 8 Adam Williamson 2017-03-24 17:04:39 UTC 
Current stable selinux-policy is much ahead of the one claimed to fix this, so closing.