Bug 1817969

Summary: Cannot execute gcore from gcc-toolset-9 when fapolicyd is enabled
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: dapospis
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fapolicyd-0.9.1-4.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:58:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2020-03-27 11:01:03 UTC 
Description of problem:

Trying to use gcore from gcc-toolset-9-gdb fails when fapolicyd is enabled:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# /opt/rh/gcc-toolset-9/root/usr/bin/gcore 1
/opt/rh/gcc-toolset-9/root/usr/bin/gcore: line 100: /opt/rh/gcc-toolset-9/root/usr/bin/gdb: Operation not permitted
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ausearch -m FANOTIFY -ts recent
----
time->Fri Mar 27 11:25:33 2020
type=PROCTITLE msg=audit(1585304733.738:104): proctitle=62617368002F6F70742F72682F6763632D746F6F6C7365742D392F726F6F742F7573722F62696E2F67636F72650031
type=PATH msg=audit(1585304733.738:104): item=0 name="/opt/rh/gcc-toolset-9/root/usr/bin/gdb" inode=17094529 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1585304733.738:104): cwd="/root"
type=SYSCALL msg=audit(1585304733.738:104): arch=c000003e syscall=59 success=no exit=-1 a0=56270097b950 a1=562700975cd0 a2=5627009754a0 a3=0 items=1 ppid=1865 pid=1867 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=FANOTIFY msg=audit(1585304733.738:104): resp=2
----
time->Fri Mar 27 11:25:33 2020
type=PROCTITLE msg=audit(1585304733.741:105): proctitle=62617368002F6F70742F72682F6763632D746F6F6C7365742D392F726F6F742F7573722F62696E2F67636F72650031
type=PATH msg=audit(1585304733.741:105): item=0 name="/opt/rh/gcc-toolset-9/root/usr/bin/gdb" inode=17094529 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1585304733.741:105): cwd="/root"
type=SYSCALL msg=audit(1585304733.741:105): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=56270097b950 a2=0 a3=0 items=1 ppid=1865 pid=1867 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=FANOTIFY msg=audit(1585304733.741:105): resp=2
----
time->Fri Mar 27 11:25:33 2020
type=PROCTITLE msg=audit(1585304733.741:106): proctitle=62617368002F6F70742F72682F6763632D746F6F6C7365742D392F726F6F742F7573722F62696E2F67636F72650031
type=PATH msg=audit(1585304733.741:106): item=0 name="/opt/rh/gcc-toolset-9/root/usr/bin/gdb" inode=17094529 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1585304733.741:106): cwd="/root"
type=SYSCALL msg=audit(1585304733.741:106): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=56270097b950 a2=0 a3=0 items=1 ppid=1865 pid=1867 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=FANOTIFY msg=audit(1585304733.741:106): resp=2
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

fapolicyd-0.8.10-3.el8_1.3.x86_64 (not delivered yet)


How reproducible:

ALWAYS


Steps to Reproduce:

1. Install gcc-toolset-9-gdb

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# yum -y install gcc-toolset-9-gdb
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Execute gcore on systemd

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# /opt/rh/gcc-toolset-9/root/usr/bin/gcore 1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

/opt/rh/gcc-toolset-9/root/usr/bin/gcore: line 100: /opt/rh/gcc-toolset-9/root/usr/bin/gdb: Operation not permitted


Expected results:

gcore executes properly


Additional info:


This was tested with fapolicyd-0.8.10-3.el8_1.3.x86_64 which is the upcoming release.
Comment 8 errata-xmlrpc 2020-04-28 15:58:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1687