Bug 544697

Summary: SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked inotify file descriptor.
Product: [Fedora] Fedora Reporter: Claudiomar Rodrigues <claudiomar.costa>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: bram_gro, chandoos, claudiomar.costa, dwalsh, masssimino, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:47712c368fad32b7dec48cc1e80235e7a87362cebdbec667f50402cfb98afe6f
Fixed In Version: 3.6.32-56.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-16 01:06:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Claudiomar Rodrigues 2009-12-06 02:38:32 UTC 
Sumário:

SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked inotify
file descriptor.

Descrição detalhada:

[SElinux está em modo permissivo. Esse acesso não foi negado.]

SELinux denied access requested by the abrt-pyhook-hel command. It looks like
this is either a leaked descriptor or abrt-pyhook-hel output was redirected to a
file it is not allowed to access. Leaks usually can be ignored since SELinux is
just closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the inotify. You should generate a bugzilla on selinux-policy, and it
will get routed to the appropriate package. You can safely ignore this avc.

Permitindo acesso:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Informações adicionais:

Contexto de origem            system_u:system_r:abrt_helper_t:s0-s0:c0.c1023
Contexto de destino           system_u:object_r:inotifyfs_t:s0
Objetos de destino            inotify [ dir ]
Origem                        abrt-pyhook-hel
Caminho da origem             /usr/bin/abrt-pyhook-helper
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         abrt-addon-python-1.0.0-1.fc12
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-55.fc12
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Permissive
Nome do plugin                leaks
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.31.6-145.fc12.x86_64 #1 SMP
                              Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64
Contador de alertas           1
Visto pela primeira vez em    Sáb 05 Dez 2009 23:53:48 BRST
Visto pela última vez em     Sáb 05 Dez 2009 23:53:48 BRST
ID local                      920eb941-051b-4c03-9821-12de1f0caeb3
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1260064428.365:42): avc:  denied  { read } for  pid=2834 comm="abrt-pyhook-hel" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1260064428.365:42): arch=c000003e syscall=59 success=yes exit=0 a0=15b4d70 a1=1515f80 a2=7fff4c63c718 a3=342e322d6f666e69 items=0 ppid=2832 pid=2834 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=system_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-55.fc12,leaks,abrt-pyhook-hel,abrt_helper_t,inotifyfs_t,dir,read
audit2allow suggests:

#============= abrt_helper_t ==============
allow abrt_helper_t inotifyfs_t:dir read;
Comment 1 Daniel Walsh 2009-12-06 14:55:31 UTC 
This is a leaked file descriptor.


You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-56.fc12.noarch
Comment 2 Fedora Update System 2009-12-07 22:54:26 UTC 
selinux-policy-3.6.32-56.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-56.fc12
Comment 3 Fedora Update System 2009-12-10 04:19:53 UTC 
selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12990
Comment 4 Fedora Update System 2009-12-16 01:05:22 UTC 
selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.