Bug 596347
Summary: | pyhook: statvfs('/var/spool/abrt'): Permission denied | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Nowak <mnowak> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | ahecox, dvlasenk, dwalsh, gavin, kklic, mgrepl, mmalik, npajkovs, ohudlick, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-22 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-07-02 20:53:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Nowak
2010-05-26 16:04:25 UTC
Michal, can you please try it again with SELinux turned off? Does it still say 'Permission denied?' Just to be sure SELinux doesn't forget to report the incident. It works with selinux turned off. The strange part is that we do not seem to be getting any AVC denials! We only see statfs() syscall (which is what glibc calls when one calls statvfs() function in C) fails with EPERM. Correction. It's EACCESS, not EPERM. Here's the part of the strace log. The crashed python process was run under root: # grep -e 'set[a-z]*uid(' -e EPERM -e EACCESS -e 'statv*fs' -e abrt-hook-python LOG 8782 statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 8783 statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8785 setuid(0) = 0 8785 statfs("/root/.xauthr0arLD-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=2519771, f_bfree=655765, f_bavail=527765, f_files=640848, f_ffree=409688, f_fsid={-430438761, 1438887161}, f_namelen=255, f_frsize=4096}) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8786 setuid(0 <unfinished ...> 8786 statfs("/root/.xauthfOoY60-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=2519771, f_bfree=655740, f_bavail=527740, f_files=640848, f_ffree=409687, f_fsid={-430438761, 1438887161}, f_namelen=255, f_frsize=4096}) = 0 8787 setreuid(0, 0) = 0 8789 read(5, "4/python2.6/os.pyt\24\0\0\0_make_statvfs_result\335\2\0\0s\2\0\0\0\0\1c\1\0\0\0\3\0\0\0\2\0\0\0C\0\0\0s\34\0\0\0|\0\0i\0\0\203\0\0\\\2\0}\1\0}\2\0t\1\0|\2\0"..., 4096) = 1834 8790 execve("/usr/libexec/abrt-hook-python", ["/usr/libexec/abrt-hook-python", "--pid=8789", "--executable=/usr/share/system-config-display/xconf.py"], [/* 14 vars */] 8790 ("/var/spool/abrt", 0x7fff55516c00) = -1 EACCES (Permission denied) 8790 sendto(3, "<27>May 26 18:42:58 abrt[8790]: statvfs('/var/spool/abrt'): Permission denied", 77, MSG_NOSIGNAL, NULL, 0) = 77 Is it a problem of /usr/libexec/abrt-hook-python not having enough privileges? Last lines got messed up by copy/paste. Correct ones: 8790 execve("/usr/libexec/abrt-hook-python", ["/usr/libexec/abrt-hook-python", "--pid=8789", "--executable=/usr/share/system-config-display/xconf.py"], [/* 14 vars */] <unfinished ...> 8790 statfs("/var/spool/abrt", 0x7fff55516c00) = -1 EACCES (Permission denied) 8790 sendto(3, "<27>May 26 18:42:58 abrt[8790]: statvfs('/var/spool/abrt'): Permission denied", 77, MSG_NOSIGNAL, NULL, 0) = 77 Dan, we need to add files_search_spool(abrt_helper_t) Fixed in selinux-policy-3.7.19-22.fc13.noarch Red Hat Enterprise Linux Beta 2 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |