Bug 1949948
| Summary: | SELinux is preventing gdb from 'read' accesses on the file /var/cache/fwupd/metainfo.xmlb. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | CharlieI <charlieivermee> | ||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 34 | CC: | afinkelsrc, colin.barker07, dwalsh, grepl.miroslav, jan.public, lvrabec, mmalik, mmilgram, nixuser, omosnace, paktomjakarta, plautrba, santiagosaavedra, steve.kirk, tsiraut, vmojzis, zpytela | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:2b6922f10a6774eccf5b7cf3345ed26ba66e89f7706c087b458398c0cca5b947;VARIANT_ID=workstation; | ||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-12-09 15:29:11 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Similar problem has been detected: Happened at boot. hashmarkername: setroubleshoot kernel: 5.11.13-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the file /var/cache/fwupd/metainfo.xmlb. type: libreport Similar problem has been detected: Boot Fedora 34 WS and log in. hashmarkername: setroubleshoot kernel: 5.11.14-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the file /var/cache/fwupd/quirks.xmlb. type: libreport *** Bug 1950706 has been marked as a duplicate of this bug. *** looking at journalctl --boot=-0
the gdb errors seem to be related to firmware update daemon 1.5.9-1.fc33 crash in g_propogate_error () in fu_bluez_backend_connect_cb (fwupd + 0x3bd64) just prior:
is a separate bug report for fwupd required?
extracts follow:
systemd-coredump[162711]: Process 162493 (fwupd) of user 0 dumped core
...
<stack trace snipped>
...
systemd[1]: systemd-coredump: Succeeded.
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@2-162710-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fwupd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: fwupd.service: Main process exited, code=dumped, status=11/SEGV
systemd[1]: fwupd.service: Failed with result 'core-dump'
...
abrt-dump-journal-oops[1015]: abrt-dump-journal-oops: Found oopses: 1
abrt-dump-journal-oops[1015]: abrt-dump-journal-oops: Creating problem directories
audit[162742]: AVC avc: denied { read } for pid=162742 comm="gdb" name="quirks.xmlb" dev="dm-3" ino=1086 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fwupd_cache_t:s0 tclass=file permissive=0
audit[162742]: AVC avc: denied { read } for pid=162742 comm="gdb" name="metadata.xmlb" dev="dm-3" ino=889 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fwupd_cache_t:s0 tclass=file permissive=0
audit[162742]: AVC avc: denied { read } for pid=162742 comm="gdb" name="metainfo.xmlb" dev="dm-3" ino=3215 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fwupd_cache_t:s0 tclass=file permissive=0
abrt-dump-journal-oops[1015]: Reported 1 kernel oopses to Abrt
abrt-server[162721]: Deleting problem directory ccpp-2021-04-22-17:04:55.508470-162493 (dup of ccpp-2021-04-22-12:23:03.508550-155041)
abrt-notification[162771]: Process 155041 (fwupd) crashed in g_propagate_error()
abrt-server[162750]: Can't find a meaningful backtrace for hashing in '.'
abrt-server[162750]: Preserving oops '.' because DropNotReportableOopses is 'no'
abrt-notification[162789]: System encountered a non-fatal error in ??()
...
systemd[1]: Started dbus-:1.12-org.fedoraproject.Setroubleshootd.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.12-org.fedoraproject.Setroubleshootd@10 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
...
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-localed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
...
setroubleshoot[162793]: AnalyzeThread.run(): Cancel pending alarm
setroubleshoot[162793]: failed to retrieve rpm info for /var/cache/fwupd/quirks.xmlb
systemd[1]: Started dbus-:1.12-org.fedoraproject.SetroubleshootPrivileged.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.12-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
setroubleshoot[162793]: SELinux is preventing gdb from read access on the file /var/cache/fwupd/quirks.xmlb. For complete SELinux messages run: sealert -l 2c1bcca8-fe7b-4dd4-9324-6569fecb0916
setroubleshoot[162793]: SELinux is preventing gdb from read access on the file /var/cache/fwupd/quirks.xmlb.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdb should be allowed read access on the quirks.xmlb file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp
setroubleshoot[162793]: AnalyzeThread.run(): Set alarm timeout to 10
setroubleshoot[162793]: AnalyzeThread.run(): Cancel pending alarm
sealertauto.desktop[162340]: /usr/bin/seapplet:46: DeprecationWarning: Gtk.StatusIcon.new_from_file is deprecated
sealertauto.desktop[162340]: self.status_icon = Gtk.StatusIcon.new_from_file(
seapplet[162340]: gtk_widget_get_scale_factor: assertion 'GTK_IS_WIDGET (widget)' failed
sealertauto.desktop[162340]: /usr/bin/seapplet:50: DeprecationWarning: Gtk.StatusIcon.set_visible is deprecated
sealertauto.desktop[162340]: self.status_icon.set_visible(True)
setroubleshoot[162793]: failed to retrieve rpm info for /var/cache/fwupd/metadata.xmlb
setroubleshoot[162793]: SELinux is preventing gdb from read access on the file /var/cache/fwupd/metadata.xmlb. For complete SELinux messages run: sealert -l 2c1bcca8-fe7b-4dd4-9324-6569fecb0916
setroubleshoot[162793]: SELinux is preventing gdb from read access on the file /var/cache/fwupd/metadata.xmlb.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdb should be allowed read access on the metadata.xmlb file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp
setroubleshoot[162793]: AnalyzeThread.run(): Set alarm timeout to 10
setroubleshoot[162793]: AnalyzeThread.run(): Cancel pending alarm
setroubleshoot[162793]: failed to retrieve rpm info for /var/cache/fwupd/metainfo.xmlb
setroubleshoot[162793]: SELinux is preventing gdb from read access on the file /var/cache/fwupd/metainfo.xmlb. For complete SELinux messages run: sealert -l 2c1bcca8-fe7b-4dd4-9324-6569fecb0916
setroubleshoot[162793]: SELinux is preventing gdb from read access on the file /var/cache/fwupd/metainfo.xmlb.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdb should be allowed read access on the metainfo.xmlb file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp
setroubleshoot[162793]: AnalyzeThread.run(): Set alarm timeout to 10
systemd[1]: dbus-:1.12-org.fedoraproject.SetroubleshootPrivileged: Main process exited, code=killed, status=14/ALRM
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.12-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: dbus-:1.12-org.fedoraproject.SetroubleshootPrivileged: Failed with result 'signal'.
systemd[1]: dbus-:1.12-org.fedoraproject.SetroubleshootPrivileged: Consumed 4.885s CPU time.
systemd[1]: dbus-:1.12-org.fedoraproject.Setroubleshootd: Main process exited, code=killed, status=14/ALRM
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.12-org.fedoraproject.Setroubleshootd@10 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: dbus-:1.12-org.fedoraproject.Setroubleshootd: Failed with result 'signal'.
systemd[1]: dbus-:1.12-org.fedoraproject.Setroubleshootd: Consumed 3.451s CPU time.
suggest this is related to bug 1949491 - [abrt] fwupd: g_propagate_error(): fwupd killed by SIGSEGV https://bugzilla.redhat.com/show_bug.cgi?id=1949491 Created attachment 1774760 [details]
System journal output showing fwupd crash
Output extracted from the output of 'journalctl -S today' starting where fwupd gets a general protection fault, including stack trace data and ending with the setroubleshooter which is triggered by gdb.
ABRT says the backtrace does not contain enough meaningful function frames to be reported.
Kernel - 5.11.15-200.fc33.x86_64
fwupd-1.5.9-1.fc33.x86_64
selinux-policy-3.14.6-36.fc33.noarch
selinux-policy-targeted-3.14.6-36.fc33.noarch
Potential duplicate of: bug 1896648 Recent update of fwupd to fwupd-1.5.9-2.fc33 may have resolved this. fwupd did not crash after update and reboot, therefore no gdb and no related AVC denials. Similar problem has been detected: I am having to drop back and use kernel 5.13.16-200.fc34.x86_64 although kernel 5.14.9 is installed. The 5.14.9 kenel hangs my computer (reported) hashmarkername: setroubleshoot kernel: 5.13.16-200.fc34.x86_64 package: selinux-policy-targeted-34.21-1.fc34.noarch reason: SELinux is preventing gdb from 'open' accesses on the file /var/cache/fwupd/metainfo.xmlb. type: libreport *** Bug 2024596 has been marked as a duplicate of this bug. *** *** This bug has been marked as a duplicate of bug 1896648 *** |
Description of problem: Occurred at boot, updated yesterday pm . SELinux is preventing gdb from 'read' accesses on the file /var/cache/fwupd/metainfo.xmlb. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gdb should be allowed read access on the metainfo.xmlb file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdb' --raw | audit2allow -M my-gdb # semodule -X 300 -i my-gdb.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:fwupd_cache_t:s0 Target Objects /var/cache/fwupd/metainfo.xmlb [ file ] Source gdb Source Path gdb Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.13-300.fc34.x86_64 #1 SMP Sun Apr 11 15:07:42 UTC 2021 x86_64 x86_64 Alert Count 3 First Seen 2021-04-15 14:10:03 BST Last Seen 2021-04-15 14:10:03 BST Local ID 6dbb5d64-5018-41e0-974c-20068f50a068 Raw Audit Messages type=AVC msg=audit(1618492203.742:917): avc: denied { read } for pid=2716 comm="gdb" name="metainfo.xmlb" dev="sda2" ino=2030433 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fwupd_cache_t:s0 tclass=file permissive=0 Hash: gdb,abrt_t,fwupd_cache_t,file,read Version-Release number of selected component: selinux-policy-targeted-34.3-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.13-300.fc34.x86_64 type: libreport