Bug 599648
| Summary: | O SELinux está impedindo o acesso a /usr/sbin/abrtd "remove_name" on ccpp-1275570766-2137.lock | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | gelo <emanwesk-2> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, garrett.mitchener, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:558106ccf9fb504c4a583a4044a028078500a116de621c22ae2006cee037d46d | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-03 20:39:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
gelo
2010-06-03 17:08:20 UTC
restorecon -R -v /var/spool Can we re-open this? I just removed abrt, reinstalled it, and I'm already getting message that it doesn't have permission to change /var/spool/abrt etc. From /var/log/messages: Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd "read" access on /var/spool/abrt. For complete SELinux messages. run sealert -l 93c54708-1555-4664-ad9c-fa8993491929 Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd "unlink" access on abrt.socket. For complete SELinux messages. run sealert -l dd 0ffb70-19ba-47a8-b760-d149e313a171 ... [root@grograman]# sealert -l 93c54708-1555-4664-ad9c-fa8993491929 Summary: SELinux is preventing /usr/sbin/abrtd "read" access on /var/spool/abrt. Detailed Description: [abrtd has a permissive type (abrt_t). This access was not denied.] SELinux denied access requested by abrtd. It is not expected that this access is required by abrtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:abrt_t:SystemLow-SystemHigh Target Context system_u:object_r:var_spool_t:SystemLow Target Objects /var/spool/abrt [ dir ] Source abrtd Source Path /usr/sbin/abrtd Port <Unknown> Host grograman Source RPM Packages abrt-1.1.13-2.fc13 Target RPM Packages abrt-1.1.13-2.fc13 Policy RPM selinux-policy-3.7.19-54.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name grograman Platform Linux grograman 2.6.34.6-54.fc13.x86_64 #1 SMP Sun Sep 5 17:16:27 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Fri Sep 17 08:48:11 2010 Last Seen Fri Sep 17 08:48:33 2010 Local ID 93c54708-1555-4664-ad9c-fa8993491929 Line Numbers Raw Audit Messages node=grograman type=AVC msg=audit(1284727713.749:51399): avc: denied { read } for pid=25998 comm="abrtd" name="abrt" dev=dm-1 ino=20972161 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir node=grograman type=SYSCALL msg=audit(1284727713.749:51399): arch=c000003e syscall=2 success=yes exit=12 a0=7fffc33769d0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=25998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) I've tried restorecon, and it makes no changes. This is what I see: [root@grograman]# ls -lZ /var/spool/ drwxr-xr-x. abrt abrt system_u:object_r:var_spool_t:SystemLow abrt drwx------. abrt abrt system_u:object_r:var_spool_t:SystemLow abrt-upload ... Somewhere some security context is wrong and I can't figure out how to fix it... Could you execute yum reinstall selinux-policy-targeted And tell me if it works correctly. Then execute restorecon -R -v /var/spool You should see something like matchpathcon /var/spool/abrt /var/spool/abrt system_u:object_r:abrt_var_cache_t:s0 Can we re-open this? I just removed abrt, reinstalled it, and I'm already getting message that it doesn't have permission to change /var/spool/abrt etc. From /var/log/messages: Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd "read" access on /var/spool/abrt. For complete SELinux messages. run sealert -l 93c54708-1555-4664-ad9c-fa8993491929 Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd "unlink" access on abrt.socket. For complete SELinux messages. run sealert -l dd 0ffb70-19ba-47a8-b760-d149e313a171 ... [root@grograman]# sealert -l 93c54708-1555-4664-ad9c-fa8993491929 Summary: SELinux is preventing /usr/sbin/abrtd "read" access on /var/spool/abrt. Detailed Description: [abrtd has a permissive type (abrt_t). This access was not denied.] SELinux denied access requested by abrtd. It is not expected that this access is required by abrtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:abrt_t:SystemLow-SystemHigh Target Context system_u:object_r:var_spool_t:SystemLow Target Objects /var/spool/abrt [ dir ] Source abrtd Source Path /usr/sbin/abrtd Port <Unknown> Host grograman Source RPM Packages abrt-1.1.13-2.fc13 Target RPM Packages abrt-1.1.13-2.fc13 Policy RPM selinux-policy-3.7.19-54.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name grograman Platform Linux grograman 2.6.34.6-54.fc13.x86_64 #1 SMP Sun Sep 5 17:16:27 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Fri Sep 17 08:48:11 2010 Last Seen Fri Sep 17 08:48:33 2010 Local ID 93c54708-1555-4664-ad9c-fa8993491929 Line Numbers Raw Audit Messages node=grograman type=AVC msg=audit(1284727713.749:51399): avc: denied { read } for pid=25998 comm="abrtd" name="abrt" dev=dm-1 ino=20972161 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir node=grograman type=SYSCALL msg=audit(1284727713.749:51399): arch=c000003e syscall=2 success=yes exit=12 a0=7fffc33769d0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=25998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) I've tried restorecon, and it makes no changes. This is what I see: [root@grograman]# ls -lZ /var/spool/ drwxr-xr-x. abrt abrt system_u:object_r:var_spool_t:SystemLow abrt drwx------. abrt abrt system_u:object_r:var_spool_t:SystemLow abrt-upload ... Somewhere some security context is wrong and I can't figure out how to fix it... Did you do what I asked? https://bugzilla.redhat.com/show_bug.cgi?id=599648#c3 If I reinstall the policy, I get this error message:
[root@grograman]# yum reinstall selinux-policy-targeted
Loaded plugins: fastestmirror, presto, priorities, protectbase, refresh-
: packagekit, versionlock
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
* fedora: hpc.arc.georgetown.edu
* fedora-32: hpc.arc.georgetown.edu
* fedora-32-updates: hpc.arc.georgetown.edu
* rpmfusion-free: mirror.liberty.edu
* rpmfusion-free-updates: mirror.liberty.edu
* rpmfusion-nonfree: mirror.liberty.edu
* rpmfusion-nonfree-updates: mirror.liberty.edu
* updates: hpc.arc.georgetown.edu
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.7.19-54.fc13 set to be reinstalled
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Reinstalling:
selinux-policy-targeted noarch 3.7.19-54.fc13 fedora-32-updates 2.3 M
Transaction Summary
================================================================================
Reinstall 1 Package(s)
Total download size: 2.3 M
Installed size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 2.3 M
selinux-policy-targeted-3.7.19-54.fc13.noarch.rpm | 2.3 MB 00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : selinux-policy-targeted-3.7.19-54.fc13.noarch 1/1
libsepol.expand_terule_helper: duplicate TE rule for init_t httpd_exec_t:process httpd_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
Installed:
selinux-policy-targeted.noarch 0:3.7.19-54.fc13
Complete!
Then the restorecon command seems to do nothing, and /var/spool is like it was before.
These might be related: Bug #570912, Bug #579553 But I don't have any of these 389 packages installed, and that policy bug was supposedly patched several versions ago...? Do you have that ldap package installed? [root@grograman]# rpm -qa | grep -i ldap apr-util-ldap-1.3.9-3.fc13.x86_64 openldap-2.4.21-10.fc13.i686 openldap-devel-2.4.21-10.fc13.x86_64 nss_ldap-264-10.fc13.x86_64 python-ldap-2.3.10-1.fc13.x86_64 openldap-2.4.21-10.fc13.x86_64 I don't know if this makes a difference, but there are a lot of files in my /etc/selinux that don't belong to any rpm package according to rpm -qf. Most of them are files like this: /etc/selinux/targeted/modules/active/modules/apache.pp [root@grograman]# ls -l /etc/selinux/targeted/modules/active/modules/apache.pp -rw-------. 1 root root 24048 Jul 22 21:43 /etc/selinux/targeted/modules/active/modules/apache.pp and I don't know if these are used by the selinux system and just not registered with rpm, or if I should get rid of them because they duplicate something...? semodule -l To list all packages. Something is screwed up on your system. You can do the following to fix it up. # setenforce 0 # rm -rf /etc/selinux/targeted/modules # yum reinstall selinux-policy-targeted # restorecon -R -v /etc/selinux # setenforce 1 Okay, I tried the sequence of commands you listed in comment #11. That seems to have fixed the problem. I then ran restorecon on the whole file system, and it made many changes, including to /var/spool/abrtd*. Something must have gone wrong before now that kept the policy package from getting updated properly. I've been running all day with no security complaints. Thank you very much! |