Bug 1640067

Summary: SELinux is preventing abrt-hook-ccpp from using the 'sys_resource' capabilities.
Product: [Fedora] Fedora Reporter: Berend De Schouwer <berend>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:2637231e1e9f05bcb6805e3d368e510191eebce009069bcbde28107753c77ffa;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-04 12:34:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Berend De Schouwer 2018-10-17 09:55:59 UTC 
Description of problem:
I'm attempting to get debug reports from abrt itself.

This triggers an selinux warning.

abrt-analyze-c is currently crashing with a segfault repeatedly.  I'm attempting to get a report from this to report a bug in abrt itself.

It's doing this when Python segfaults (c segfault, not python backtrace), which I can trigger reliably by running gnome-music (bz # 1635152)

Basically Python segfault:
Oct 17 11:50:21 sieve-deschouwer-co-za abrt-hook-ccpp[32427]: Process 32382 (python3.7) of user 1000 killed by SIGSEGV - dumping core
Oct 17 11:50:22 sieve-deschouwer-co-za abrt-hook-ccpp[32428]: Can't generate core backtrace: dwfl_getthread_frames failed: No DWARF information found
Oct 17 11:50:22 sieve-deschouwer-co-za abrt-hook-ccpp[32427]: Core backtrace generator exited with error 1

triggers abrt segfault:
Oct 17 11:47:01 sieve-deschouwer-co-za kernel: abrt-action-ana[32174]: segfault at 20 ip 000055b6c04db953 sp 00007ffd4ee50560 error 4 in abrt-action-analyze-c[55b6c04db000+1000]
Oct 17 11:47:01 sieve-deschouwer-co-za kernel: Code: e8 a2 f9 ff ff 4d 85 e4 74 38 4c 89 e7 e8 65 fa ff ff 48 89 c5 48 85 c0 0f 84 cb 00 00 00 48 89 ef e8 41 fb ff ff 48 8b 45 10 <48> 8b 50 20 48 85 d2 74 0f 48 8d 35 63 07 00 00 48 89 df e8 05 fb 
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-hook-ccpp[32176]: Process 32174 (abrt-action-analyze-c) of user 0 killed by SIGSEGV - dumping core
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: /bin/sh: line 56: 32174 Segmentation fault      (core dumped) abrt-action-analyze-c
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: 'post-create' on '/var/spool/abrt/ccpp-2018-10-17-11:46:50-32076' exited with 139
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: Deleting problem directory '/var/spool/abrt/ccpp-2018-10-17-11:46:50-32076'
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: Lock file '.lock' was locked by process 32174, but it crashed?
SELinux is preventing abrt-hook-ccpp from using the 'sys_resource' capabilities.

*****  Plugin sys_resource (91.4 confidence) suggests   **********************

If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.

According to /usr/include/linux/capability.h, sys_resource is required to:

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Do
fix the cause of the SYS_RESOURCE on your system.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that abrt-hook-ccpp should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-hook-ccpp' --raw | audit2allow -M my-abrthookccpp
# semodule -X 300 -i my-abrthookccpp.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:system_r:abrt_dump_oops_t:s0
Target Objects                Unknown [ capability ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-37.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.10-300.fc29.x86_64 #1 SMP Wed
                              Sep 26 09:45:26 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-10-17 11:50:21 SAST
Last Seen                     2018-10-17 11:50:21 SAST
Local ID                      f023d241-c33d-463b-903c-f05029c4d888

Raw Audit Messages
type=AVC msg=audit(1539769821.531:6167): avc:  denied  { sys_resource } for  pid=32427 comm="abrt-hook-ccpp" capability=24  scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=capability permissive=0


Hash: abrt-hook-ccpp,abrt_dump_oops_t,abrt_dump_oops_t,capability,sys_resource

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.10-300.fc29.x86_64
type:           libreport
Comment 1 Berend De Schouwer 2018-10-17 09:59:15 UTC 
also needs setrlimit
Comment 2 Lukas Vrabec 2018-11-04 12:34:39 UTC 
This is related to debugging some process. Please create local policy module with fixes.