Bug 1583080

Summary: SELinux is preventing abrt-dbus from map access on the file /usr/sbin/abrt-dbus
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde, xhe
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-205.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:04:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2018-05-28 08:10:31 UTC 
SELinux is preventing abrt-dbus from map access on the file /usr/sbin/abrt-dbus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-dbus should be allowed map access on the abrt-dbus file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-dbus' --raw | audit2allow -M my-abrtdbus
# semodule -i my-abrtdbus.pp


Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:abrt_exec_t:s0
Target Objects                /usr/sbin/abrt-dbus [ file ]
Source                        abrt-dbus
Source Path                   abrt-dbus
Port                          <Unknown>
Host                          bkr-hv01-guest24.dsal.lab.eng.bos.redhat.com
Source RPM Packages           
Target RPM Packages           abrt-dbus-2.1.11-50.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-197.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     bkr-hv01-guest24.dsal.lab.eng.bos.redhat.com
Platform                      Linux bkr-hv01-guest24.dsal.lab.eng.bos.redhat.com
                              3.10.0-893.el7.x86_64 #1 SMP Thu May 24 21:37:14
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-05-26 09:15:02 EDT
Last Seen                     2018-05-26 09:15:02 EDT
Local ID                      10ce992a-1491-4ffd-8bbd-58da5e11e9ae

Raw Audit Messages
type=AVC msg=audit(1527340502.66:153): avc:  denied  { map } for  pid=16493 comm="abrt-dbus" path="/usr/sbin/abrt-dbus" dev="dm-0" ino=34237735 scontext=system_u:system_r:system_dbusd_t:s
0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=1


Hash: abrt-dbus,system_dbusd_t,abrt_exec_t,file,map
Comment 2 Lukas Slebodnik 2018-06-05 10:55:25 UTC 
I can see AVC even in enforcing mode
Raw Audit Messages
type=AVC msg=audit(1528194747.410:697): avc:  denied  { map } for  pid=32223 comm="abrt-dbus" path="/usr/sbin/abrt-dbus" dev="dm-0" ino=34957830 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1528194747.410:697): arch=x86_64 syscall=execve success=no exit=EACCES a0=55f231033000 a1=55f231032910 a2=55f231031060 a3=2 items=2 ppid=32222 pid=32223 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1528194747.410:697): cwd=/

type=PATH msg=audit(1528194747.410:697): item=0 name=/usr/sbin/abrt-dbus inode=34957830 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Comment 3 Milos Malik 2018-06-05 19:50:31 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(06/05/2018 15:48:29.197:244) : proctitle=(null) 
type=PATH msg=audit(06/05/2018 15:48:29.197:244) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=418713 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/05/2018 15:48:29.197:244) : item=0 name=/usr/sbin/abrt-dbus inode=535060 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/05/2018 15:48:29.197:244) :  cwd=/ 
type=SYSCALL msg=audit(06/05/2018 15:48:29.197:244) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55e28be47960 a1=0x55e28be476e0 a2=0x55e28be46060 a3=0x2 items=2 ppid=15722 pid=15723 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2018 15:48:29.197:244) : avc:  denied  { map } for  pid=15723 comm=abrt-dbus path=/usr/sbin/abrt-dbus dev="dm-0" ino=535060 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0 
----
Comment 5 Lukas Slebodnik 2018-06-16 08:16:26 UTC 
I can still reproduce with latest selinux-policy

[root@host ~]# rpm -q selinux-policy
selinux-policy-3.13.1-204.el7.noarch

[root@host ~]# getenforce 
Enforcing

[root@host ~]# ausearch -m avc
<no matches>

[root@host ~]# abrt-cli ls
Can't connect to system DBus: Error calling StartServiceByName for org.freedesktop.problems: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildSignaled: Process org.freedesktop.problems received signal 9

[root@host ~]# ausearch -m avc -i
----
type=PROCTITLE msg=audit(06/16/2018 04:15:04.204:464) : proctitle=(null) 
type=PATH msg=audit(06/16/2018 04:15:04.204:464) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33572130 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/16/2018 04:15:04.204:464) : item=0 name=/usr/sbin/abrt-dbus inode=33570168 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/16/2018 04:15:04.204:464) :  cwd=/ 
type=SYSCALL msg=audit(06/16/2018 04:15:04.204:464) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x564c89355f10 a1=0x564c89355690 a2=0x564c89354060 a3=0x2 items=2 ppid=23028 pid=23029 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/16/2018 04:15:04.204:464) : avc:  denied  { map } for  pid=23029 comm=abrt-dbus path=/usr/sbin/abrt-dbus dev="dm-0" ino=33570168 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0
Comment 7 Martin Kutlak 2018-07-03 12:04:34 UTC 
*** Bug 1584636 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2018-10-30 10:04:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111