Bug 1734403

Summary: avc: denied { read } for comm="abrt-action-ins"
Product: Red Hat Enterprise Linux 8 Reporter: Steeve Goveas <sgoveas>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: lvrabec, mcermak, mmalik, plautrba, psklenar, ssekidde, szidek, zpytela
Target Milestone: rcKeywords: Reopened
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:12:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steeve Goveas 2019-07-30 12:50:52 UTC 
http://ci-vm-10-0-148-68.hosted.upshift.rdu2.redhat.com/sssd-nightly-tier2/master/1/ldap_krb5/restraint.01/

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-12.el8.noarch
----
time->Tue Jul 30 06:20:25 2019
type=PROCTITLE msg=audit(1564482025.406:1780): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D75002F7573722F62696E2F616272742D616374696F6E2D696E7374616C6C2D6465627567696E666F002D79002D76
type=SYSCALL msg=audit(1564482025.406:1780): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55cddcde3120 a2=0 a3=0 items=0 ppid=26222 pid=26246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-action-ins" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1564482025.406:1780): avc:  denied  { read } for  pid=26246 comm="abrt-action-ins" name="satellite-5-client.module" dev="vda1" ino=8409219 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0
----
time->Tue Jul 30 06:20:25 2019
type=PROCTITLE msg=audit(1564482025.406:1781): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D75002F7573722F62696E2F616272742D616374696F6E2D696E7374616C6C2D6465627567696E666F002D79002D76
type=SYSCALL msg=audit(1564482025.406:1781): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55cddcde9750 a2=0 a3=0 items=0 ppid=26222 pid=26246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-action-ins" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1564482025.406:1781): avc:  denied  { read } for  pid=26246 comm="abrt-action-ins" name="virt.module" dev="vda1" ino=8409220 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0
----
time->Tue Jul 30 06:20:32 2019
type=PROCTITLE msg=audit(1564482032.607:1783): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E004144002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1564482032.607:1783): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5619e9480e00 a2=0 a3=0 items=0 ppid=26276 pid=26284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1564482032.607:1783): avc:  denied  { search } for  pid=26284 comm="sssd_be" name="krb5" dev="vda1" ino=9186485 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----
time->Tue Jul 30 06:21:03 2019
type=PROCTITLE msg=audit(1564482063.872:1822): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E004144002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1564482063.872:1822): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55857b5d4570 a2=0 a3=0 items=0 ppid=26612 pid=26614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1564482063.872:1822): avc:  denied  { search } for  pid=26614 comm="sssd_be" name="krb5" dev="vda1" ino=9186485 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
Comment 1 Lukas Vrabec 2019-07-30 13:03:24 UTC 

*** This bug has been marked as a duplicate of bug 1734399 ***
Comment 2 Milos Malik 2019-08-08 10:21:02 UTC 
Please ignore the last 2 SELinux denials in comment#0. This bug is about SELinux interfering with abrt-action-ins...

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-13.el8.noarch
----
time->Tue Aug  6 20:30:13 2019
type=PROCTITLE msg=audit(1565137813.164:811): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D75002F7573722F62696E2F616272742D616374696F6E2D696E7374616C6C2D6465627567696E666F002D79
type=PATH msg=audit(1565137813.164:811): item=0 name="/etc/dnf/modules.d/satellite-5-client.module" inode=135 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1565137813.164:811): cwd="/var/spool/abrt/ccpp-2019-08-06-20:30:10.357071-18035"
type=SYSCALL msg=audit(1565137813.164:811): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaaae6eac790 a2=0 a3=0 items=1 ppid=19181 pid=19202 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-action-ins" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1565137813.164:811): avc:  denied  { read } for  pid=19202 comm="abrt-action-ins" name="satellite-5-client.module" dev="dm-0" ino=135 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0
----
Comment 3 Lukas Vrabec 2019-08-09 10:28:34 UTC 
*** Bug 1739355 has been marked as a duplicate of this bug. ***
Comment 4 Milos Malik 2019-08-09 12:16:50 UTC 
Increasing priority/severity, because several QE people found this AVC in their test runs.
Comment 5 Lukas Vrabec 2019-08-09 13:43:59 UTC 
commit 99af5f04a4694d1b16929d45cbd6900ff5f42464 (HEAD -> rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Fri Aug 9 15:43:00 2019 +0200

    Dontaudit abrt_t domain to read root_t files
    Resolves: rhbz#1734403
Comment 6 Lukas Vrabec 2019-08-12 08:40:55 UTC 
*** Bug 1740060 has been marked as a duplicate of this bug. ***
Comment 22 errata-xmlrpc 2019-11-05 22:12:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547