Bug 595036
Summary: | SELinux is preventing /usr/sbin/abrtd "read" access on abrt. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | GoinEasy9 <GoinEasy9> | ||||||
Component: | abrt | Assignee: | Jiri Moskovcak <jmoskovc> | ||||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | rawhide | CC: | anton, atswartz, dfediuck, dvlasenk, dwalsh, hirager, iprikryl, jmoskovc, kklic, mgrepl, mnowak, neo021, npajkovs, sanjay.ankur, sundaram, tomek.by | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | setroubleshoot_trace_hash:477e893a8ff58ae2d3311468f5d4a6cfdfc9416568dfce92dbf077761af04c27 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-05-24 15:23:24 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
GoinEasy9
2010-05-23 01:45:10 UTC
abrt daemon failed to start. SELinux is also preventing /usr/sbin/abrtd "setaddr" access on abrt. Seems to be a continuation of the same problem that caused bug #593906. abrt daemon hasn't started since the update on 5/20. I executed the commands: # mkdir /var/spool/abrt # restorecon -R -v /var/spool/abrt on 5/20 when the problem first appeared, but it seems it didn't fix everything. I don't use SELinux on my regular installs, so I still quite an amateur at trying to generate local policy modules. Since abrt shouldn't need this type of access, I'll wait to see if it is a bug, or if it is something I should fix myself in SELinux policy. I know if I disable SELinux this alert will go away, but I'd rather learn SELinux by using it on my rawhide install, I just need confirmation if it is a bug or not. Thanks What policy do you have installed? rpm -q selinux-policy ls -lZd /var/spool/abrt The problem is probably this directory is mislabled. abrt changed the location of the directory from /var/cache to /var/spool. This required a fix to selinux policy to put down the correct label. Secondarily abrt did not put the /var/spool/abrt directory in the payload. So rpm did not create the directory at install time with the correct label. Having an up 2 date policy and abrt package should fix the problem. Please try this build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2201357 and let me know if it still doesn't work *** This bug has been marked as a duplicate of bug 593906 *** [GoinEasy9@Fedora14dw32 ~]$ rpm -q selinux-policy selinux-policy-3.7.19-15.fc13.noarch [GoinEasy9@Fedora14dw32 ~]$ ls -lZd /var/spool/abrt drwxr-xr-x. abrt abrt system_u:object_r:var_spool_t:s0 /var/spool/abrt Will try koji build now. I already have abrt 1.1.3-1 installed. [GoinEasy9@Fedora14dw32 ~]$ rpm -q abrt abrt-1.1.3-1.fc14.i686 Boot log still shows: Starting abrt daemon: [FAILED] SELinux is preventing /usr/sbin/abrtd "read" access on abrt. SELinux is preventing /usr/sbin/abrtd "setattr" access on abrt. I tried rm -r /var/spool/abrt and mkdir /var/spool/abrt then, restorecon -R -v /var/spool/abrt again with same results. ls -lZd /var/spool/abrt Could you grab the full avc from /var/log/audit/audit.log Created attachment 416205 [details]
/var/log/audit/audit.log
[GoinEasy9@Fedora14dw32 ~]$ ls -lZd /var/spool/abrt drwxr-xr-x. root root unconfined_u:object_r:var_spool_t:s0 /var/spool/abrt That is the wrong label. rpm -q selinux-policy [GoinEasy9@Fedora14dw32 ~]$ rpm -q selinux-policy selinux-policy-3.7.19-15.fc13.noarch Should I remove /var/spool/abrt and reinstall selinux-policy? I see the result of ls -lZd /var/spool/abrt has changed from comment 5, possibly because I experimented as I stated at the bottom of comment 6. (In reply to comment #11) > [GoinEasy9@Fedora14dw32 ~]$ rpm -q selinux-policy > selinux-policy-3.7.19-15.fc13.noarch > > Should I remove /var/spool/abrt and reinstall selinux-policy? > > I see the result of ls -lZd /var/spool/abrt has changed from comment 5, > possibly because I experimented as I stated at the bottom of comment 6. I am having the same problem [ats@asus ~]$ rpm -q abrt abrt-1.1.3-1.fc14.x86_64 [ats@asus ~]$ ls -lZd /var/spool/abrt drwxr-xr-x. abrt abrt system_u:object_r:var_spool_t:s0 /var/spool/abrt [ats@asus ~]$ rpm -q selinux-policy selinux-policy-3.7.19-15.fc13.noarch Created attachment 416930 [details]
audit.log
Please update to the latest policy in fedora-updates. (In reply to comment #14) > Please update to the latest policy in fedora-updates. I had selinux-policy-3.7.19-15.fc13 yum offered me no update so I installed selinux-policy-3.7.19-21.fc13 from koji and abrtd upon reboot. EDIT: abrtd started OK upon reboot I removed /var/spool/abrt, reinstalled abrt, which resulted in: [GoinEasy9@Fedora14dw32 ~]$ ls -lZd /var/spool/abrt drwxr-xr-x. abrt abrt system_u:object_r:var_spool_t:s0 /var/spool/abrt I then installed selinux-policy-3.7.19-21.fc13 from koji, and the abrtd daemon started after reboot. Can you bump karma on the selinux-policy |