| Summary: | SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the setuid capability. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Nečas <yeti> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | anton, dominick.grift, dvlasenk, dwalsh, iprikryl, james, jmoskovc, kklic, mgrepl, mtoman, npajkovs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.16-34.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-18 22:32:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
abrt-ccpp is a separate service, so if you need to run: $ service abrt-ccpp stop - but the hook needs setuid, so we need to fix the policy -> reassigning to selinux David, please try to test it with the latest policy available from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=252337 With policy 3.9.16-33.fc15 it works as expected. *** Bug 722215 has been marked as a duplicate of this bug. *** selinux-policy-3.9.16-34.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15 Package selinux-policy-3.9.16-34.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-34.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-34.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: When a non-packaged program segfaults the SELinux alert SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the setuid capability. is generated. Intriguingly, this happens also when the abrtd service is *disabled*. And, of course, no coredump is created. Version-Release number of selected component (if applicable): abrt-2.0.3-1.fc15.x86_64 selinux-policy-3.9.16-32.fc15.noarch How reproducible: Always. Steps to Reproduce: 1. Create segfault.c with the following content: int main(void) { *(int*)0 = 0; return 0; } 2. Compile it gcc -o segfault segfault.c 3a. Enable SELinux (setenforce Enforcing), enable abrtd (systemctl start abrtd.service) and run ./segfault 3b. Enable SELinux (setenforce Enforcing), disable abrtd (systemctl stop abrtd.service) and run ./segfault 3c. Disable SELinux (setenforce Permissive), enable abrtd (systemctl start abrtd.service) and run ./segfault 3d. Disable SELinux (setenforce Permissive), disable abrtd (systemctl stop abrtd.service) and run ./segfault Actual results: In all four cases: The above SELinux alert is reported. In cases 3c and 3d (disabled SELinux) a coredump is created; in cases 3a and 3b (enabled SELinux) no coredump is produced. Expected results: A coredump is created in all four cases. No SELinux alert is reported in any case. abrt is not involved at all in cases 3b and 3d. Additional info: I am not sure if this belongs to abrt, selinux-policy or elsewhere. But it is weird that I get alerts about abrt doing something when it should be disabled. The detailed sealert report: SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the setuid capability. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that abrt-hook-ccpp should have the setuid capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:system_r:abrt_helper_t:s0 Target Objects Unknown [ capability ] Source abrt-hook-ccpp Source Path /usr/libexec/abrt-hook-ccpp Port <Unknown> Host smut Source RPM Packages abrt-addon-ccpp-2.0.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smut Platform Linux smut 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 9 First Seen Wed 13 Jul 2011 07:22:13 PM CEST Last Seen Wed 13 Jul 2011 08:25:25 PM CEST Local ID bc996e38-423f-4302-a794-9bf208219381 Raw Audit Messages type=AVC msg=audit(1310581525.657:85): avc: denied { setuid } for pid=2208 comm="abrt-hook-ccpp" capability=7 scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:abrt_helper_t:s0 tclass=capability type=SYSCALL msg=audit(1310581525.657:85): arch=x86_64 syscall=setresuid success=yes exit=0 a0=ffffffffffffffff a1=1f4 a2=ffffffffffffffff a3=0 items=0 ppid=5 pid=2208 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=4294967295 comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp subj=system_u:system_r:abrt_helper_t:s0 key=(null) Hash: abrt-hook-ccpp,abrt_helper_t,abrt_helper_t,capability,setuid audit2allow #============= abrt_helper_t ============== allow abrt_helper_t self:capability setuid; audit2allow -R #============= abrt_helper_t ============== allow abrt_helper_t self:capability setuid;