Bug 1778030

Summary: SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
Product: [Fedora] Fedora Reporter: Mikhail <mikhail.v.gavrilov>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: achinovnikov, afinkelsrc, andrew.kavalov, artur.tanistra, bellecodeur, bineethcr, bugzilla, chrisf826, colotunbabay2010, dagofthedofg, danie.dejager, daniel-fedoauth, dani, dimhen, dwalsh, ep, foxlightnight, fpasqualetti, fukidid, genes1122, gruszczynskit, hockmanj, jan.public, jiabanster, joe, jskarvad, kajihiro190206, kashifhk123, lambda.xy.x, lray+redhatbugzilla, lslebodn, lvrabec, mailinglists35, marco.roda.88, martinthain99, masouddehghani, mgrepl, michael.scheiffler, milan.kerslager, misha-shisha, mwolf, peterg, plautrba, preston.kibbey, prl-bugzilla.redhat.com, pwhalen, r3pek, rlengland, sbroz, stephenfin, subscribed-lists, ttomasz, twaugh, vondruch, vpanasenko, woiling, work.eric, zpyr1, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:2be2a090828eab1fe8ad251e0f56d2b096d068243b2c47b4c8d9ae7aaeb44e91;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.14.3-56.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-27 09:57:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mikhail 2019-11-29 04:20:13 UTC 
Description of problem:
SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-dump-journ should be allowed create access on the port None udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-dump-journ' --raw | audit2allow -M my-abrtdumpjourn
# semodule -X 300 -i my-abrtdumpjourn.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:system_r:abrt_dump_oops_t:s0
Target Objects                port None [ udp_socket ]
Source                        abrt-dump-journ
Source Path                   abrt-dump-journ
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.5-17.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.4.0-2.fc32.x86_64 #1 SMP Mon Nov
                              25 22:45:19 UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-11-29 09:18:11 +05
Last Seen                     2019-11-29 09:18:11 +05
Local ID                      19f58f09-177d-4ebc-8786-fe5525495307

Raw Audit Messages
type=AVC msg=audit(1575001091.430:100): avc:  denied  { create } for  pid=1006 comm="abrt-dump-journ" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=udp_socket permissive=1


Hash: abrt-dump-journ,abrt_dump_oops_t,abrt_dump_oops_t,udp_socket,create

Version-Release number of selected component:
selinux-policy-3.14.5-17.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.11.3
hashmarkername: setroubleshoot
kernel:         5.4.0-2.fc32.x86_64
type:           libreport
Comment 1 Paul Whalen 2019-12-02 21:57:03 UTC 
Similar problem has been detected:

Right after logging in using the Xfce disk image on arm. 

hashmarkername: setroubleshoot
kernel:         5.4.0-2.fc32.armv7hl
package:        selinux-policy-3.14.5-18.fc32.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 2 Lukas Vrabec 2019-12-03 11:40:54 UTC 
commit b63def9be3155c987d02cda670b8e3bb79acc20b (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Dec 3 12:40:42 2019 +0100

    Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
Comment 3 Vasiliy Panasenko 2019-12-12 19:10:44 UTC 
*** Bug 1783002 has been marked as a duplicate of this bug. ***
Comment 4 Lukas Vrabec 2020-01-11 21:15:05 UTC 
*** Bug 1790081 has been marked as a duplicate of this bug. ***
Comment 5 Lukas Vrabec 2020-01-13 11:53:17 UTC 
*** Bug 1790245 has been marked as a duplicate of this bug. ***
Comment 6 dani 2020-01-13 14:43:46 UTC 
Similar problem has been detected:

Due to a different bug, started audit with
auditctl -w /etc/shadow -p w
reboot

hashmarkername: setroubleshoot
kernel:         5.3.16-300.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 7 Alex Finkel 2020-01-13 14:57:58 UTC 
Similar problem has been detected:

Login to Cinnamon desktop after applying updates using Gnome Software and rebooting.

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 8 Tomas Toth 2020-01-14 19:23:30 UTC 
Similar problem has been detected:

The SELinux Alert appears after re-boot.

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 9 Gene Snider 2020-01-15 01:37:54 UTC 
Similar problem has been detected:

Occurred on first boot after dnf update.

hashmarkername: setroubleshoot
kernel:         5.4.12-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 10 lambda.xy.x 2020-01-15 18:27:09 UTC 
Similar problem has been detected:

I ran gnome-abrt manually but I'm not sure if it's actually related. Thanks for looking into it.

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 11 foxlightnight 2020-01-16 01:10:16 UTC 
Similar problem has been detected:

Depois de eu ligar a maquina e baixar um pouco o brilho, uma informação apareceu na minha tela sobre esse erro.(caso ajude alguns minutos atras eu tinha instalado o "Grub Customizer" e feito antes de instalar o "Grub Customizer" um "dnf update")

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket porta None.
type:           libreport
Comment 12 NM 2020-01-16 01:33:12 UTC 
Similar problem has been detected:

Happens at every re-boot. 

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 13 Carlo Bollini 2020-01-16 02:56:16 UTC 
Similar problem has been detected:

- Power on
- Login
- Environment loads up fine, alert pops up

The issue is always reproducible on my machine following these steps.

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket porte None.
type:           libreport
Comment 14 Masoud 2020-01-17 05:15:14 UTC 
Similar problem has been detected:

Automatically right after startup.

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 15 Richard L. England 2020-01-17 19:41:36 UTC 
Similar problem has been detected:

Happens at each reboot

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 16 Joe Zeff 2020-01-18 00:01:43 UTC 
Similar problem has been detected:

This happened when I rebooted and logged in.  No idea what happened.

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 17 gruszczynskit 2020-01-18 05:52:26 UTC 
Similar problem has been detected:

The error appeared immediately after logging into the system

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 18 Peter Lister 2020-01-18 16:31:46 UTC 
Similar problem has been detected:

Reported at login after several dnf upgrades to Fedora 31

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 19 Lukas Slebodnik 2020-01-18 17:08:32 UTC 
*** Bug 1792631 has been marked as a duplicate of this bug. ***
Comment 20 Carlos Mogas da Silva 2020-01-18 22:01:38 UTC 
Similar problem has been detected:

Happens during boot

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 21 Michael 2020-01-18 22:37:43 UTC 
Similar problem has been detected:

dnf upgrade

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 22 Daniel Demus 2020-01-19 08:36:41 UTC 
Similar problem has been detected:

At the end of 'dnf upgrade' which included an abrt package

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 23 Jan Vlug 2020-01-19 09:59:31 UTC 
Similar problem has been detected:

Happened during dnf update (on two of my systems).

hashmarkername: setroubleshoot
kernel:         5.4.8-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 24 lray+redhatbugzilla 2020-01-19 19:57:05 UTC 
Similar problem has been detected:

doing a "dnf upgrade" in the background.

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket Port None.
type:           libreport
Comment 25 Dmitry Dyachenko 2020-01-20 07:27:17 UTC 
Similar problem has been detected:

dnf upgrade --refresh

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 26 Alberto Chiodi 2020-01-20 09:33:43 UTC 
Similar problem has been detected:

Switch on pc. Log in session

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket porte None.
type:           libreport
Comment 27 kashifhk123 2020-01-20 15:46:53 UTC 
Similar problem has been detected:

deepin desktop invoirment installation

hashmarkername: setroubleshoot
kernel:         5.4.10-200.fc31.x86_64
package:        selinux-policy-3.14.4-43.fc31.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 28 Alberto Chiodi 2020-01-22 08:09:03 UTC 
(In reply to Alberto Chiodi from comment #26)
> Similar problem has been detected:
> 
> Switch on pc. Log in session
> 
> hashmarkername: setroubleshoot
> kernel:         5.4.10-200.fc31.x86_64
> package:        selinux-policy-3.14.4-43.fc31.noarch
> reason:         SELinux is preventing abrt-dump-journ from 'create' accesses
> on the udp_socket porte None.
> type:           libreport

Last update to selinux-policy-3.14.4-44.fc31.noarch solved problem.
I can log to my session without selinux alert.
Hi
Comment 29 Alex Finkel 2020-01-22 14:09:21 UTC 
After the update to selinux-policy-3.14.4-44.fc31, I removed my custom policy (my-abrtdumpjourn) and I am no longer seeing the selinux alert when I login to my session.  Thanks!
Comment 30 Fedora Admin XMLRPC Client 2020-01-23 16:24:49 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 31 Peter Lister 2020-01-26 12:41:42 UTC 
Updated to selinux-policy-3.14.4-44.fc31 and abrt is no longer reporting this message.

Thanks to those who fixed the problem - and all who reported it.
Comment 32 Jaroslav Škarvada 2020-02-03 09:54:57 UTC 
Similar problem has been detected:

Just boot machine.

hashmarkername: setroubleshoot
kernel:         5.4.14-100.fc30.x86_64
package:        selinux-policy-3.14.3-55.fc30.noarch
reason:         SELinux is preventing abrt-dump-journ from 'create' accesses on the udp_socket port None.
type:           libreport
Comment 33 Fedora Update System 2020-02-06 15:14:32 UTC 
FEDORA-2020-c4d27dea0b has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2020-c4d27dea0b
Comment 34 Fedora Update System 2020-02-07 01:03:46 UTC 
selinux-policy-3.14.3-56.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-c4d27dea0b
Comment 35 Fedora Update System 2020-02-25 14:38:41 UTC 
selinux-policy-3.14.3-56.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.