Bug 543923
Summary: | SELinux is preventing the /usr/bin/abrt-pyhook-helper from using potentially mislabeled files (/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bradley <bbaetz> |
Component: | abrt | Assignee: | Jiri Moskovcak <jmoskovc> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 12 | CC: | anton, carrerah, charlon09, dfediuck, dvlasenk, dwalsh, iprikryl, jmoskovc, kklic, luca.botti, mgrepl, mmiller6, mnowak, npajkovs, quantum.analyst, rjabovol, santiago.lunar.m, stratosphere.programming, vishvaya |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:e3a75ec5bcefaa6442704026402d713f2ca863f4e44dc2156fd0c976fddbaa70 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-23 12:53:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bradley
2009-12-03 14:15:35 UTC
To reproduce, start calibre 0.6.25-1 and then quit it using the tray icon (have filed bug on that) The worker_redirect_log files in a running instance have type unconfined_u:object_r:user_tmp_t:s0 However, I also get the below error - something leaking fds? (And the same error for /usr/share/X11/locale/compose.dir) SELinux is preventing /usr/bin/abrt-pyhook-helper "read" access on /usr/share/X11/locale/en_US.UTF-8/Compose. Detailed Description: [abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not denied.] SELinux denied access requested by abrt-pyhook-hel. It is not expected that this access is required by abrt-pyhook-hel and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c 1023 Target Context system_u:object_r:locale_t:s0 Target Objects /usr/share/X11/locale/en_US.UTF-8/Compose [ file ] Source abrt-pyhook-hel Source Path /usr/bin/abrt-pyhook-helper Port <Unknown> Host plum.home Source RPM Packages abrt-addon-python-1.0.0-1.fc12 Target RPM Packages libX11-common-1.3-1.fc12 Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name plum.home Platform Linux plum.home 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Fri 04 Dec 2009 01:12:25 EST Last Seen Fri 04 Dec 2009 01:12:25 EST Local ID 8e03b432-8e7e-4d44-85f1-968236abae4b Line Numbers Raw Audit Messages node=plum.home type=AVC msg=audit(1259849545.630:686): avc: denied { read } for pid=24553 comm="abrt-pyhook-hel" path="/usr/share/X11/locale/en_US.UTF-8/Compose" dev=dm-0 ino=1239643 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file node=plum.home type=SYSCALL msg=audit(1259849545.630:686): arch=c000003e syscall=59 success=yes exit=0 a0=187bda0 a1=1a5ae10 a2=7fff13061810 a3=61702d657262696c items=0 ppid=24497 pid=24553 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=473 sgid=473 fsgid=473 tty=pts1 ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null) The problem with abrt_helper_t is it is revealing all possible leaked file descriptors from any application that can crash. I am slowly finding and closing the leaks globaly, but it generates a lot of bogus AVC messages. Globaly dontauditing: Fixed in selinux-policy-3.6.32-54.fc12 abrt-1.0.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/abrt-1.0.1-1.fc12 abrt-1.0.1-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update abrt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12994 |