Bug 1593728
| Summary: | SELinux prevents abrt-hook-ccpp from mmap()-ing /usr/bin/strace file | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Edjunior Barbosa Machado <emachado> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.6 | CC: | lvrabec, mgrepl, mmalik, plautrba, ssekidde | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-205.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-10-30 10:05:46 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Created attachment 1453445 [details] AVC logs from RHEL-7.6-20180614.n.0 x86_64 tests Description of problem: Info: Searching AVC errors produced since 1529409759.46 (Tue Jun 19 08:02:39 2018) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 06/19/2018 08:02:39 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.8D_gOL 2>&1' ---- time->Tue Jun 19 08:02:40 2018 type=PROCTITLE msg=audit(1529409760.410:788): proctitle=2F7573722F6C6962657865632F616272742D686F6F6B2D6363707000360030003138303237003000300031353239343039373630006500313830323700313830323700616D642D70656E63652D30322E6C61622E626F732E7265646861742E636F6D type=SYSCALL msg=audit(1529409760.410:788): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=9dc20 a2=1 a3=2 items=0 ppid=9597 pid=18071 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-hook-ccpp" exe="/usr/libexec/abrt-hook-ccpp" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null) type=AVC msg=audit(1529409760.410:788): avc: denied { map } for pid=18071 comm="abrt-hook-ccpp" path="/usr/bin/strace" dev="dm-0" ino=68716391 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 ---- time->Tue Jun 19 08:02:40 2018 type=PROCTITLE msg=audit(1529409760.411:789): proctitle=2F7573722F6C6962657865632F616272742D686F6F6B2D6363707000360030003138303237003000300031353239343039373630006500313830323700313830323700616D642D70656E63652D30322E6C61622E626F732E7265646861742E636F6D type=SYSCALL msg=audit(1529409760.411:789): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=9dc20 a2=3 a3=2 items=0 ppid=9597 pid=18071 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-hook-ccpp" exe="/usr/libexec/abrt-hook-ccpp" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null) type=AVC msg=audit(1529409760.411:789): avc: denied { map } for pid=18071 comm="abrt-hook-ccpp" path="/usr/bin/strace" dev="dm-0" ino=68716391 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 ---- time->Tue Jun 19 08:02:41 2018 type=PROCTITLE msg=audit(1529409761.234:793): proctitle=2F7573722F6C6962657865632F616272742D686F6F6B2D6363707000360030003138303734003000300031353239343039373631006500313830373400313830373400616D642D70656E63652D30322E6C61622E626F732E7265646861742E636F6D type=SYSCALL msg=audit(1529409761.234:793): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=9dc20 a2=1 a3=2 items=0 ppid=9597 pid=18113 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-hook-ccpp" exe="/usr/libexec/abrt-hook-ccpp" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null) type=AVC msg=audit(1529409761.234:793): avc: denied { map } for pid=18113 comm="abrt-hook-ccpp" path="/usr/bin/strace" dev="dm-0" ino=68716391 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 ---- (...) SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 Running 'rpm -q selinux-policy || true' selinux-policy-3.13.1-203.el7.noarch Version-Release number of selected component (if applicable): selinux-policy-3.13.1-203.el7.noarch How reproducible: Often seen in all tested archs (x86_64, s390x, ppc64 and ppc64le) Steps to Reproduce: 1. reproducible in Toolchain Tiers 2. 3. Actual results: complete log from x86_64 attached Expected results: no AVCs Additional info: RHEL-7.6-20180614.n.0