Bug 551904

Summary: SELinux is preventing /usr/bin/gdb "write" access on /usr/share/glib-2.0/gdb.
Product: [Fedora] Fedora Reporter: darkkitten
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:525d6fce61e862fbe7b79c21f818fe0613c81d4649c3022da147a0badf12b64a
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-04 15:34:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description darkkitten 2010-01-03 01:28:44 UTC 
Summary:

SELinux is preventing /usr/bin/gdb "write" access on /usr/share/glib-2.0/gdb.

Detailed Description:

[gdb has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/share/glib-2.0/gdb [ dir ]
Source                        gdb
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdb-7.0-13.fc12
Target RPM Packages           glib2-devel-2.22.3-2.fc12
Policy RPM                    selinux-policy-3.6.32-63.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21
                              05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Sat 02 Jan 2010 06:07:34 PM MST
Last Seen                     Sat 02 Jan 2010 06:07:34 PM MST
Local ID                      fb66727d-5d68-4ce2-80ca-62bf93963038
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1262480854.516:21447): avc:  denied  { write } for  pid=7331 comm="gdb" name="gdb" dev=sda3 ino=63726 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1262480854.516:21447): avc:  denied  { add_name } for  pid=7331 comm="gdb" name="gobject.pyc" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1262480854.516:21447): avc:  denied  { create } for  pid=7331 comm="gdb" name="gobject.pyc" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1262480854.516:21447): avc:  denied  { write } for  pid=7331 comm="gdb" name="gobject.pyc" dev=sda3 ino=530116 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1262480854.516:21447): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7fff3c2d3a50 a1=2c1 a2=81ed a3=7fbe483ef350 items=0 ppid=1258 pid=7331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-63.fc12,catchall,gdb,abrt_t,usr_t,dir,write
audit2allow suggests:

#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# tmp_t, var_t, abrt_tmp_t, var_run_t, rpm_var_cache_t, abrt_var_cache_t, var_log_t, abrt_var_log_t, rpm_var_run_t, abrt_var_run_t, root_t

allow abrt_t usr_t:dir { write add_name };
allow abrt_t usr_t:file { write create };
Comment 1 Daniel Walsh 2010-01-04 15:34:56 UTC 

*** This bug has been marked as a duplicate of bug 538300 ***