Bug 541720

Summary: SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked /home/martin/.jabbim/nad.martin@jabbim.cz-profile/jabbim.log file descriptor.
Product: [Fedora] Fedora Reporter: Martin Naď <martin.nad89>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: antonio_pandolfo, craig, dwalsh, mgrepl, minaharker80, rayne.sierra, rivarda1
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:accc72aeb91cf820d77f33b2839baf16b82b8bfb0eb77d3cefa6521c9a919b73
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-27 13:20:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Naď 2009-11-26 20:08:37 UTC 
Souhrn:

SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked
/home/martin/.jabbim/nad.martin/jabbim.log file descriptor.

Podrobný popis:

[abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not
denied.]

SELinux denied access requested by the abrt-pyhook-hel command. It looks like
this is either a leaked descriptor or abrt-pyhook-hel output was redirected to a
file it is not allowed to access. Leaks usually can be ignored since SELinux is
just closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /home/martin/.jabbim/nad.martin/jabbim.log. You
should generate a bugzilla on selinux-policy, and it will get routed to the
appropriate package. You can safely ignore this avc.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Další informace:

Kontext zdroje                unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c
                              1023
Kontext cíle                 unconfined_u:object_r:user_home_t:s0
Objekty cíle                 /home/martin/.jabbim/nad.martin-
                              profile/jabbim.log [ file ]
Zdroj                         abrt-pyhook-hel
Cesta zdroje                  /usr/bin/abrt-pyhook-helper
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          abrt-addon-python-1.0.0-1.fc12
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.32-49.fc12
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     leaks
Název počítače            (removed)
Platforma                     Linux (removed)
                              2.6.31.6-149.fc12.x86_64 #1 SMP Wed Nov 25
                              06:07:50 EST 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Pá 27. listopad 2009, 21:10:55 CET
Naposledy viděno             Pá 27. listopad 2009, 21:10:55 CET
Místní ID                   28e72ec0-abde-4800-95db-28f826adb42c
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1259352655.54:123): avc:  denied  { write } for  pid=7766 comm="abrt-pyhook-hel" path="/home/martin/.jabbim/nad.martin/jabbim.log" dev=sda5 ino=20922664 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1259352655.54:123): avc:  denied  { read } for  pid=7766 comm="abrt-pyhook-hel" path=2F746D702F666669714571596261202864656C6574656429 dev=tmpfs ino=2474605 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1259352655.54:123): arch=c000003e syscall=59 success=yes exit=0 a0=3dc3fe0 a1=3c6c3d0 a2=356ebf0 a3=20 items=0 ppid=7559 pid=7766 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=479 sgid=479 fsgid=479 tty=(none) ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-49.fc12,leaks,abrt-pyhook-hel,abrt_helper_t,user_home_t,file,write
audit2allow suggests:

#============= abrt_helper_t ==============
allow abrt_helper_t user_home_t:file write;
allow abrt_helper_t user_tmp_t:file read;
Comment 1 Miroslav Grepl 2009-11-27 13:20:19 UTC 

*** This bug has been marked as a duplicate of bug 539566 ***