Bug 543156

Summary: SELinux is preventing /usr/bin/gdb "write" access on /usr/share/glib-2.0/gdb.
Product: [Fedora] Fedora Reporter: ritz <rkhadgar>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:ee381c5be47b474cb615394055ff0afd05b3c241d935717b78522f5ee3cd8455
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-09 13:40:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ritz 2009-12-01 19:38:33 UTC 
Summary:

SELinux is preventing /usr/bin/gdb "write" access on /usr/share/glib-2.0/gdb.

Detailed Description:

[gdb has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/share/glib-2.0/gdb [ dir ]
Source                        gdb
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdb-7.0-7.fc12
Target RPM Packages           glib2-devel-2.22.2-2.fc12
Policy RPM                    selinux-policy-3.6.32-49.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Mon 30 Nov 2009 06:44:10 PM IST
Last Seen                     Mon 30 Nov 2009 06:44:10 PM IST
Local ID                      997dc2b2-cf22-4a6b-aecf-4e43ab7c3d9c
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1259586850.827:25084): avc:  denied  { write } for  pid=27474 comm="gdb" name="gdb" dev=dm-1 ino=331220 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1259586850.827:25084): avc:  denied  { add_name } for  pid=27474 comm="gdb" name="gobject.pyc" scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1259586850.827:25084): avc:  denied  { create } for  pid=27474 comm="gdb" name="gobject.pyc" scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1259586850.827:25084): avc:  denied  { write } for  pid=27474 comm="gdb" name="gobject.pyc" dev=dm-1 ino=262264 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1259586850.827:25084): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7fff03fa7090 a1=2c1 a2=81ed a3=7fb8d8320350 items=0 ppid=25325 pid=27474 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="gdb" exe="/usr/bin/gdb" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-49.fc12,catchall,gdb,abrt_t,usr_t,dir,write
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t usr_t:dir { write add_name };
allow abrt_t usr_t:file { write create };
Comment 1 Daniel Walsh 2009-12-09 13:40:49 UTC 

*** This bug has been marked as a duplicate of bug 528554 ***