Bug 1583080
Summary: | SELinux is preventing abrt-dbus from map access on the file /usr/sbin/abrt-dbus | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.6 | CC: | lvrabec, mgrepl, mmalik, plautrba, ssekidde, xhe |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-205.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 10:04:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2018-05-28 08:10:31 UTC
I can see AVC even in enforcing mode Raw Audit Messages type=AVC msg=audit(1528194747.410:697): avc: denied { map } for pid=32223 comm="abrt-dbus" path="/usr/sbin/abrt-dbus" dev="dm-0" ino=34957830 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1528194747.410:697): arch=x86_64 syscall=execve success=no exit=EACCES a0=55f231033000 a1=55f231032910 a2=55f231031060 a3=2 items=2 ppid=32222 pid=32223 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1528194747.410:697): cwd=/ type=PATH msg=audit(1528194747.410:697): item=0 name=/usr/sbin/abrt-dbus inode=34957830 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Following SELinux denial appeared in enforcing mode: ---- type=PROCTITLE msg=audit(06/05/2018 15:48:29.197:244) : proctitle=(null) type=PATH msg=audit(06/05/2018 15:48:29.197:244) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=418713 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(06/05/2018 15:48:29.197:244) : item=0 name=/usr/sbin/abrt-dbus inode=535060 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(06/05/2018 15:48:29.197:244) : cwd=/ type=SYSCALL msg=audit(06/05/2018 15:48:29.197:244) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55e28be47960 a1=0x55e28be476e0 a2=0x55e28be46060 a3=0x2 items=2 ppid=15722 pid=15723 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/05/2018 15:48:29.197:244) : avc: denied { map } for pid=15723 comm=abrt-dbus path=/usr/sbin/abrt-dbus dev="dm-0" ino=535060 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0 ---- I can still reproduce with latest selinux-policy [root@host ~]# rpm -q selinux-policy selinux-policy-3.13.1-204.el7.noarch [root@host ~]# getenforce Enforcing [root@host ~]# ausearch -m avc <no matches> [root@host ~]# abrt-cli ls Can't connect to system DBus: Error calling StartServiceByName for org.freedesktop.problems: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildSignaled: Process org.freedesktop.problems received signal 9 [root@host ~]# ausearch -m avc -i ---- type=PROCTITLE msg=audit(06/16/2018 04:15:04.204:464) : proctitle=(null) type=PATH msg=audit(06/16/2018 04:15:04.204:464) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33572130 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(06/16/2018 04:15:04.204:464) : item=0 name=/usr/sbin/abrt-dbus inode=33570168 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(06/16/2018 04:15:04.204:464) : cwd=/ type=SYSCALL msg=audit(06/16/2018 04:15:04.204:464) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x564c89355f10 a1=0x564c89355690 a2=0x564c89354060 a3=0x2 items=2 ppid=23028 pid=23029 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/16/2018 04:15:04.204:464) : avc: denied { map } for pid=23029 comm=abrt-dbus path=/usr/sbin/abrt-dbus dev="dm-0" ino=33570168 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0 *** Bug 1584636 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |