Bug 593906

Summary: abrt-1.1.2 installation does not create /var/spool/abrt, causing selinux problems
Product: [Fedora] Fedora Reporter: Kurt Driver <kurtdriver>
Component: abrtAssignee: Denys Vlasenko <dvlasenk>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: anton, bgodusky, cz172638, dvlasenk, dwalsh, frankly3d, garrett.mitchener, iprikryl, jmoskovc, jturner, kklic, mgrepl, mnowak, npajkovs, olivares14031, pcfe, schaiba, selinux
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5bfe8959226ae2c2c07abc8bd13495d85209b5246fd8e4ec6bb6cd6ade335375
Fixed In Version: abrt-2.0.1-2.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-26 16:19:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 494832    

Description Kurt Driver 2010-05-20 02:53:26 UTC 
Summary:

SELinux is preventing /usr/sbin/abrtd "write" access on /var/spool.

Detailed Description:

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_spool_t:s0
Target Objects                /var/spool [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           abrt-1.1.2-1.fc14
Target RPM Packages           filesystem-2.4.35-1.fc14
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.34-2.fc14.x86_64 #1 SMP Mon May
                              17 03:51:48 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 19 May 2010 07:28:18 PM PDT
Last Seen                     Wed 19 May 2010 07:28:18 PM PDT
Local ID                      2d0d5755-83c5-44a9-bf0a-e8974ea9925d
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274322498.415:688): avc:  denied  { write } for  pid=17833 comm="abrtd" name="spool" dev=dm-0 ino=1566 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1274322498.415:688): arch=c000003e syscall=83 success=no exit=-13 a0=41e791 a1=1ed a2=d a3=7fffa222a3c0 items=0 ppid=17832 pid=17833 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,abrtd,abrt_t,var_spool_t,dir,write
audit2allow suggests:

#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# tmp_t, var_t, sosreport_tmp_t, abrt_tmp_t, var_run_t, rpm_var_cache_t, abrt_var_cache_t, var_log_t, abrt_var_log_t, rpm_var_run_t, abrt_var_run_t, root_t

allow abrt_t var_spool_t:dir write;
Comment 1 Frank Murphy 2010-05-20 11:02:05 UTC 
I have the latest selinux-policy from koji.
http://koji.fedoraproject.org/koji/buildinfo?buildID=174238

$ rpm -qa selinux-policy\*
selinux-policy-3.7.19-19.fc13.noarch
selinux-policy-targeted-3.7.19-19.fc13.noarch



Summary:

SELinux is preventing /usr/sbin/abrtd "write" access on /var/spool.

--snip--

Source Context                unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_spool_t:s0
Target Objects                /var/spool [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd
Port                          <Unknown>
Host                          #######
Source RPM Packages           abrt-1.1.2-1.fc14
Target RPM Packages           filesystem-2.4.35-1.fc14
Policy RPM                    selinux-policy-3.7.19-19.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     ######
Platform                      Linux ##### 2.6.34-2.fc14.x86_64
                              #1 SMP Mon May 17 03:51:48 UTC 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 20 May 2010 11:41:24 IST
Last Seen                     Thu 20 May 2010 11:59:03 IST
Local ID                      fd7364ef-21be-4027-9ff3-26c402c0eb64
Line Numbers                  

Raw Audit Messages            

node=##### type=AVC msg=audit(1274353143.940:26429): avc:  denied  { write } for  pid=2634 comm="abrtd" name="spool" dev=dm-6 ino=41025 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

node=##### type=SYSCALL msg=audit(1274353143.940:26429): arch=c000003e syscall=83 success=no exit=-13 a0=41e791 a1=1ed a2=d a3=0 items=0 ppid=2633 pid=2634 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
Comment 2 Daniel Walsh 2010-05-20 13:34:55 UTC 
/var/spool/abrt should be in the payload with the abrtd package.
Comment 3 Daniel Walsh 2010-05-20 13:45:37 UTC 
*** Bug 594017 has been marked as a duplicate of this bug. ***
Comment 4 Frank Murphy 2010-05-20 13:46:41 UTC 
(In reply to comment #2)
> /var/spool/abrt should be in the payload with the abrtd package.    

the dir is there, with some kerneloops sub-dirs in my case.
Comment 5 Daniel Walsh 2010-05-20 13:48:08 UTC 
Users who are getting this problem just need to execute

# mkdir /var/spool/abrt
# restorecon -R -v /var/spool/abrt

And the AVC will stop happening


Frank you should be able to run the restorecon command above.
Comment 6 Frank Murphy 2010-05-20 13:49:11 UTC 
(In reply to comment #5)
> Users who are getting this problem just need to execute
> 
> # mkdir /var/spool/abrt
> # restorecon -R -v /var/spool/abrt
> 
> And the AVC will stop happening
> 
> 
> Frank you should be able to run the restorecon command above.    


Thanks Dan.
Comment 7 Kurt Driver 2010-05-20 14:40:04 UTC 
Thank you Dan, is it correct that this isn't really a bug? 
I didn't think it important, but that it was something that could be changed, at some point, in the "out of the box" setup. Kurt
Whoops! I just saw that you marked it as "NOTABUG".
Comment 8 Denys Vlasenko 2010-05-20 15:28:48 UTC 
*** Bug 593973 has been marked as a duplicate of this bug. ***
Comment 9 Daniel Walsh 2010-05-20 20:04:55 UTC 
Well it is a bug in abrt that the directory was not in the payload.  I am also modifying policy to make the correct thing happen if the directory does not exist.
Comment 10 Kurt Driver 2010-05-21 03:33:08 UTC 
Thanks again Dan.
Comment 11 Denys Vlasenko 2010-05-21 11:43:55 UTC 
*** Bug 594448 has been marked as a duplicate of this bug. ***
Comment 12 Denys Vlasenko 2010-05-21 11:46:52 UTC 
Let's keep it open for now, there will be more reports about this which I want to mark as dups
Comment 13 Miroslav Grepl 2010-05-24 11:57:25 UTC 
*** Bug 594022 has been marked as a duplicate of this bug. ***
Comment 14 Denys Vlasenko 2010-05-24 15:19:28 UTC 
Please don't close this bug.
Comment 15 Denys Vlasenko 2010-05-24 15:19:55 UTC 
*** Bug 593670 has been marked as a duplicate of this bug. ***
Comment 16 Denys Vlasenko 2010-05-24 15:20:23 UTC 
Please try this build:

http://koji.fedoraproject.org/koji/taskinfo?taskID=2201357
Comment 17 Denys Vlasenko 2010-05-24 15:23:24 UTC 
*** Bug 595036 has been marked as a duplicate of this bug. ***
Comment 18 Frank Murphy 2010-05-26 08:43:31 UTC 
(In reply to comment #16)
> Please try this build:
> 
> http://koji.fedoraproject.org/koji/taskinfo?taskID=2201357    

Worksforme
Comment 19 Bug Zapper 2010-07-30 11:39:57 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 20 Fedora Update System 2011-03-27 17:36:08 UTC 
abrt-2.0.0-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/abrt-2.0.0-1.fc15
Comment 21 Fedora Update System 2011-03-29 20:01:28 UTC 
abrt-2.0.0-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/abrt-2.0.0-2.fc15
Comment 22 Fedora Update System 2011-03-30 02:32:13 UTC 
Package abrt-2.0.0-2.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing abrt-2.0.0-2.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/abrt-2.0.0-2.fc15
then log in and leave karma (feedback).
Comment 23 Fedora Update System 2011-03-30 16:48:32 UTC 
abrt-2.0.0-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/abrt-2.0.0-3.fc15
Comment 24 Fedora Update System 2011-04-04 14:08:15 UTC 
abrt-2.0.0-4.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/abrt-2.0.0-4.fc15
Comment 25 Fedora Update System 2011-04-15 15:09:02 UTC 
abrt-2.0.0-5.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/abrt-2.0.0-5.fc15
Comment 26 Fedora Update System 2011-04-20 13:29:50 UTC 
abrt-2.0.1-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/abrt-2.0.1-1.fc15
Comment 27 Fedora Update System 2011-04-21 16:44:29 UTC 
abrt-2.0.1-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/abrt-2.0.1-2.fc15
Comment 28 Fedora Update System 2011-04-26 16:11:55 UTC 
abrt-2.0.1-2.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.