Bug 1699532

Summary: SELinux is preventing abrt-install-cc from write access on the file core_pipe_limit
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-29.fc30 selinux-policy-3.14.3-31.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-27 21:26:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2019-04-13 14:23:22 UTC 
SELinux is preventing abrt-install-cc from write access on the file core_pipe_limit.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-install-cc should be allowed write access on the core_pipe_limit file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-install-cc' --raw | audit2allow -M my-abrtinstallcc
# semodule -X 300 -i my-abrtinstallcc.pp


Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysctl_kernel_t:s0
Target Objects                core_pipe_limit [ file ]
Source                        abrt-install-cc
Source Path                   abrt-install-cc
Port                          <Unknown>
Host                          kvm-04-guest24.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-28.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     kvm-04-guest24.example.com
Platform                      Linux kvm-04-guest24.example.com
                              5.0.7-300.fc30.x86_64 #1 SMP Mon Apr 8 18:28:09
                              UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-04-13 10:19:17 EDT
Last Seen                     2019-04-13 10:19:17 EDT
Local ID                      9b72f3e9-c848-4117-ab3f-49343b9de85f

Raw Audit Messages
type=AVC msg=audit(1555165157.501:40890): avc:  denied  { write } for  pid=11322 comm="abrt-install-cc" name="core_pipe_limit" dev="proc" ino=111183 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0


Hash: abrt-install-cc,abrt_t,sysctl_kernel_t,file,write



How to reproduce:
systemct start abrtd abrt-ccpp
Comment 1 Lukas Slebodnik 2019-04-13 14:25:10 UTC 
There is not any other AVC in permissive mode

sh# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(04/13/2019 10:19:17.501:40889) : avc:  denied  { write } for  pid=11322 comm=abrt-install-cc name=core_pipe_limit dev="proc" ino=111183 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(04/13/2019 10:19:17.501:40890) : avc:  denied  { write } for  pid=11322 comm=abrt-install-cc name=core_pipe_limit dev="proc" ino=111183 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(04/13/2019 10:22:35.412:40901) : avc:  denied  { write } for  pid=11372 comm=abrt-install-cc name=core_pipe_limit dev="proc" ino=111183 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
Comment 2 Fedora Update System 2019-04-19 21:58:31 UTC 
selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
Comment 3 Fedora Update System 2019-04-20 14:42:11 UTC 
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
Comment 4 Fedora Update System 2019-04-27 21:26:59 UTC 
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.