| Summary: | SELinux is preventing /usr/bin/gdb from 'read' accesses on the lnk_file /usr/lib/debug/.build-id/5d/363f921f4545ef2e76fa9405d096745d4177fd.debug. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve Tyler <stephent98> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 15 | CC: | dwalsh, mgrepl | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | setroubleshoot_trace_hash:45a657221a5fc1e4ca57de9be74e2c865bffaff6bff4404d8683d318aed6100b | ||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2011-10-07 14:12:23 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Attachments: |
|
||||||||||
Created attachment 492108 [details]
ls -alZ /usr/lib/debug/.build-id/5d
FWIW ...
Created attachment 492111 [details]
ls -alZ --full-time /usr/lib/debug/.build-id/5d
Not sure how to handle this, since you have files that were generated without labels. You can fix this by executing chcon -t lib_t -R /usr/lib/debug/.build-id But we don't want to set labels under /usr/lib/debug in general, because we don't know the content under there. (In reply to comment #3) > Not sure how to handle this, since you have files that were generated without > labels. > > You can fix this by executing > > chcon -t lib_t -R /usr/lib/debug/.build-id > > > But we don't want to set labels under /usr/lib/debug in general, because we > don't know the content under there. OK. From the log, I had selinux=0 on the kernel command line when glibc-debuginfo was updated. Snippet from /var/log/messages-20110410: Apr 10 02:49:08 fir kernel: [ 0.000000] Kernel command line: ro root=UUID=aea7900f-11da-4b35-b827-4112b4095f4a rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SY SFONT=latarcyrheb-sun16 KEYTABLE=us selinux=0 ... Apr 10 02:54:57 fir yum[1675]: Updated: 1:control-center-filesystem-3.0.0.1-3.fc15.x86_64 Apr 10 02:55:01 fir yum[1675]: Updated: 1:control-center-3.0.0.1-3.fc15.x86_64 Apr 10 02:55:03 fir yum[1675]: Updated: glibc-debuginfo-common-2.13.90-9.x86_64 Apr 10 02:55:07 fir yum[1675]: Updated: glibc-debuginfo-2.13.90-9.x86_64 Apr 10 02:55:08 fir yum[1675]: Updated: orca-3.0.0-2.fc15.x86_64 It looks like gdm was trying to generate a backtrace when the avc occurred. Snippet from /var/log/messages: ... Apr 12 10:13:11 fir gdm-simple-greeter[1859]: Gtk-WARNING: gtk_widget_size_allocate(): attempt to allocate widget with width -47 and height -47 Apr 12 10:13:15 fir pulseaudio[1851]: ratelimit.c: 11 events suppressed Apr 12 10:13:19 fir pam: gdm-password[1877]: CRITICAL: act_user_manager_get_user: assertion `username != NULL && username[0] != '\0'' failed Apr 12 10:13:19 fir gdm[1880]: ******************* START ********************************** Apr 12 10:13:20 fir dbus: [system] Activating service name='org.fedoraproject.Setroubleshootd' argv0='/lib64/dbus-1/dbus-daemon-launch-helper' Apr 12 10:13:20 fir gdm[1880]: [Thread debugging using libthread_db enabled] Apr 12 10:13:20 fir dbus: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Apr 12 10:13:20 fir gdm[1880]: 0x00000036a180ef5e in waitpid () from /lib64/libpthread.so.0 Apr 12 10:13:20 fir gdm[1880]: #0 0x00000036a180ef5e in waitpid () from /lib64/libpthread.so.0 ... Created attachment 492132 [details]
/var/log/messages with gdm-generated backtrace
Is this still the problem? |
SELinux is preventing /usr/bin/gdb from 'read' accesses on the lnk_file /usr/lib/debug/.build-id/5d/363f921f4545ef2e76fa9405d096745d4177fd.debug. ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin catchall_labels (23.2 confidence) suggests ******************** If you want to allow gdb to have read access on the 363f921f4545ef2e76fa9405d096745d4177fd.debug lnk_file Then you need to change the label on /usr/lib/debug/.build-id/5d/363f921f4545ef2e76fa9405d096745d4177fd.debug Do # semanage fcontext -a -t FILE_TYPE '/usr/lib/debug/.build-id/5d/363f921f4545ef2e76fa9405d096745d4177fd.debug' where FILE_TYPE is one of the following: xdm_dbusd_t, fonts_cache_t, textrel_shlib_t, ssh_home_t, alsa_etc_rw_t, rpm_script_tmp_t, xdm_tmpfs_t, var_run_t, var_run_t, user_home_t, xdm_tmp_t, userdomain, configfile, domain, rpm_var_cache_t, proc_net_t, xdm_etc_t, gnome_home_type, rpm_var_lib_t, xdm_var_lib_t, etc_runtime_t, home_root_t, config_usr_t, udev_var_run_t, pam_var_console_t, var_lock_t, selinux_config_t, abrt_t, bin_t, cert_t, lib_t, lib_t, root_t, user_home_dir_t, usr_t, device_t, device_t, devlog_t, hwdata_t, locale_t, etc_t, fonts_t, ld_so_t, user_tmpfs_t, proc_t, proc_t, sysfs_t, xdm_t, bin_t, var_run_t, var_run_t, var_run_t, cert_t. Then execute: restorecon -v '/usr/lib/debug/.build-id/5d/363f921f4545ef2e76fa9405d096745d4177fd.debug' ***** Plugin catchall (5.04 confidence) suggests *************************** If you believe that gdb should be allowed read access on the 363f921f4545ef2e76fa9405d096745d4177fd.debug lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:file_t:s0 Target Objects /usr/lib/debug/.build- id/5d/363f921f4545ef2e76fa9405d096745d4177fd.debug [ lnk_file ] Source gdb Source Path /usr/bin/gdb Port <Unknown> Host (removed) Source RPM Packages gdb-7.2.50.20110328-31.fc15 Target RPM Packages glibc-debuginfo-2.13.90-9 Policy RPM selinux-policy-3.9.16-14.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 Alert Count 8 First Seen Tue 12 Apr 2011 10:13:20 AM PDT Last Seen Tue 12 Apr 2011 10:13:20 AM PDT Local ID 484825b1-52f3-49ab-8786-087151d3bd0e Raw Audit Messages type=AVC msg=audit(1302628400.549:75): avc: denied { read } for pid=1881 comm="gdb" name="363f921f4545ef2e76fa9405d096745d4177fd.debug" dev=sdb6 ino=293178 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1302628400.549:75): arch=x86_64 syscall=access success=no exit=EACCES a0=1a8f310 a1=0 a2=1a8f352 a3=1 items=0 ppid=1880 pid=1881 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=gdb exe=/usr/bin/gdb subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gdb,xdm_t,file_t,lnk_file,read audit2allow #============= xdm_t ============== allow xdm_t file_t:lnk_file read; audit2allow -R #============= xdm_t ============== allow xdm_t file_t:lnk_file read;