| Summary: | SELinux is preventing /usr/bin/gdb from 'read' accesses on the file /usr/lib/debug/lib64/libselinux.so.1.debug. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Horst H. von Brand <vonbrand> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:350dec93806a3dd80945005956a3cdcb12a4f313c068f1bedabf145e4dad0cbf | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-15 17:34:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
restorecon -R -v /var/lib/debug And please yum -y update. |
SELinux is preventing /usr/bin/gdb from 'read' accesses on the file /usr/lib/debug/lib64/libselinux.so.1.debug. ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin catchall_labels (23.2 confidence) suggests ******************** If you want to allow gdb to have read access on the libselinux.so.1.debug file Then you need to change the label on /usr/lib/debug/lib64/libselinux.so.1.debug Do # semanage fcontext -a -t FILE_TYPE '/usr/lib/debug/lib64/libselinux.so.1.debug' where FILE_TYPE is one of the following: nsplugin_rw_t, system_dbusd_var_lib_t, policykit_auth_exec_t, abrt_t, bin_t, cert_t, tmp_t, usr_t, abrt_var_run_t, noxattrfs, prelink_exec_t, nsplugin_home_t, fusefs_t, locale_t, ld_so_t, nfs_t, proc_t, sysfs_t, sysctl_crypto_t, system_cronjob_var_lib_t, policykit_var_lib_t, abrt_exec_t, rpm_exec_t, abrt_t, lib_t, shell_exec_t, afs_cache_t, abrt_helper_exec_t, modules_object_t, sosreport_tmp_t, abrt_tmp_t, var_lib_t, dbusd_etc_t, ld_so_t, configfile, userdomain, domain, rpm_var_cache_t, abrt_var_cache_t, textrel_shlib_t, abrt_etc_t, fail2ban_var_lib_t, rpm_log_t, var_log_t, policykit_reload_t, mta_exec_type, rpm_script_tmp_t, abrt_var_log_t, rpm_var_lib_t, rpm_var_run_t, net_conf_t, user_cron_spool_t, etc_runtime_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, abrt_var_run_t, ld_so_cache_t, sosreport_exec_t, exec_type, root_t. Then execute: restorecon -v '/usr/lib/debug/lib64/libselinux.so.1.debug' ***** Plugin catchall (5.04 confidence) suggests *************************** If you believe that gdb should be allowed read access on the libselinux.so.1.debug file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:file_t:s0 Target Objects /usr/lib/debug/lib64/libselinux.so.1.debug [ file ] Source gdb Source Path /usr/bin/gdb Port <Unknown> Host (removed) Source RPM Packages elfutils-0.152-1.fc16 Target RPM Packages libselinux-debuginfo-2.0.101-1.fc16 Policy RPM selinux-policy-3.9.16-15.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.39-0.rc2.git0.0.fc16.x86_64 #1 SMP Wed Apr 6 15:30:19 UTC 2011 x86_64 x86_64 Alert Count 25 First Seen Sat 16 Apr 2011 10:36:27 AM CLST Last Seen Sat 16 Apr 2011 01:01:04 PM CLST Local ID b9bcca8d-f338-4728-a46e-135261748841 Raw Audit Messages type=AVC msg=audit(1302969664.280:113): avc: denied { read } for pid=7783 comm="eu-unstrip" name="libselinux.so.1.debug" dev=dm-2 ino=3946542 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file type=SYSCALL msg=audit(1302969664.280:113): arch=x86_64 syscall=open success=no exit=EACCES a0=b102f0 a1=0 a2=0 a3=2e78756e696c6573 items=0 ppid=770 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=eu-unstrip exe=/usr/bin/eu-unstrip subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: gdb,abrt_t,file_t,file,read audit2allow #============= abrt_t ============== allow abrt_t file_t:file read; audit2allow -R #============= abrt_t ============== allow abrt_t file_t:file read;