Bug 722747

Summary:	SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown.
Product:	[Fedora] Fedora	Reporter:	MM Masaeli <mm.masaeli>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	15	CC:	1083479006, abiheiri, ach3com, ADent123, aktigger99645, alezflute, alienv, allen.jaloola, alpha, arifiauo, artishock, artur_lima, aslka126, atuimaginacion, baraary, barbara.xxx1975, bethebeast, bgodusky, blackcode, brad.banko, bugzilla, chris.trader, chrys87, chuongnse91, chydavy, cortocircuit, dami_dami, dan, darron_p, dcelix, denpanagioto, devonjanitz, dew, dlelliott99, doctore, dominick.grift, dungmai145, dwalsh, edosurina, edpsmgr, ekanter, enadir, eric.rannaud, ernschettino, eugenesatterlund, ewaisen, fall.from.eden, fgrose, flama.es, flokip, fry.futurateam, fry.kun, galerienv, g_harika, GoinEasy9, haildmitry, halon.by, hemant.toraskar, hugh.crowther, jamundso, jannhorn, jasonbangbang, jdulaney, jk, jlayton, jmda91, jmikulka, jmoskovc, johasixt, josian2200, julroy67, juniorbenyi, kb6tal, kikus87, knowledgeispower80, kwizart, larieu, laurent.rineau__fedora, le2ka, lemaire_eugene, leonyd.b, linux_03619, little.rascalz, lohithvnm, long, luya, maidenleo2000, mandreou, marbolangos, marco.guazzone, mauricephilips, m-brauer, me, metcalf-butcher.brendon.s, mgrepl, mikey, mjean-bat1991, mnowak, mpdcsu, mrbigdog320, mrnelvin, msava, mvadkert, naoki, nberrehouc, nextgeneration422, nhat.buiduy, nicolas.mailhot, nihar_smily17, nimilsoman, nlminhtl, nomad0227, nomnex, old.uncle.z, oliver.henshaw, oliver.steven, orion520a, pafcu, paul, posti_roska, pouet, raf64flo, rafael.mores, rafiii48, ramayu_sr17, rbwang1225, ribionudabout, rithmns, rob.d.wills, robertop, rockonthemoonfm, rodrigoatique, roman, root.ameen, rtmetz92, rvokal, sdunn2000, sebastian2cortes, sebastian.s.schmidt, seventhguardian, sgallagh, shiv, shnurapet, slawomir.czarko, soldierspain, stlux, stressfreechozeme, support, tap3ahchina, terrance.wickman, turanvural, uckelman, vbudrevic, vg.aetera, vic.uned, vmedrea, willkyc, younissf, zolddombsag
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:72a25e0199e80706ecebbed0691b1a66cdd7228eb737d0e4ddfb7ce14f12c949
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-10-08 20:57:39 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description MM Masaeli 2011-07-17 09:49:36 UTC

SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   abrt-dump-oops
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-34.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 17 Jul 2011 02:11:14 PM IRDT
Last Seen                     Sun 17 Jul 2011 02:11:14 PM IRDT
Local ID                      8947d70f-9cd4-4e6f-831a-9df3c4cc9081

Raw Audit Messages
type=AVC msg=audit(1310895674.679:11): avc:  denied  { syslog_read } for  pid=1047 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 1 Frederick Grose 2011-07-19 00:34:38 UTC

Just tried to launch google-chrome-unstable-14.0.825.0-92801.x86_64

Comment 2 Daniel Walsh 2011-07-19 12:22:20 UTC

We are working on a policy for abrt-dump-oops in f16, we probably should back port to F15.

Comment 3 Miroslav Grepl 2011-07-19 13:52:16 UTC

I am just testing this policy in f16 and looks good.

Comment 4 John Armitage 2011-07-21 19:35:25 UTC

Got this when updating the system on a new install.

Comment 5 Daniel Walsh 2011-07-22 20:19:09 UTC

*** Bug 724825 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2011-07-27 11:16:21 UTC

Fixed in selinux-policy-3.9.16-36.fc15

Comment 7 Fedora Update System 2011-08-05 13:59:53 UTC

selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15

Comment 8 Fedora Update System 2011-08-05 23:56:02 UTC

Package selinux-policy-3.9.16-37.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15
then log in and leave karma (feedback).

Comment 9 Heiko Adams 2011-08-06 09:40:24 UTC

It seems the problem still exists after applying the update and restarting my machine.

Comment 10 Miroslav Grepl 2011-08-08 06:07:37 UTC

What AVC are you getting?

Comment 11 MM Masaeli 2011-08-08 07:44:18 UTC

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          Masood-laptop.Corpsedomain
Source RPM Packages           abrt-addon-kerneloops-2.0.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-37.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Masood-laptop.Corpsedomain
Platform                      Linux Masood-laptop.Corpsedomain
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sun 07 Aug 2011 11:41:53 PM IRDT
Last Seen                     Mon 08 Aug 2011 12:05:38 PM IRDT
Local ID                      dd7de24b-a90f-4268-b17f-4d3a879b4964

Raw Audit Messages
type=AVC msg=audit(1312788938.457:8): avc:  denied  { syslog_read } for  pid=1006 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1312788938.457:8): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=2182090 a2=3fff a3=0 items=0 ppid=1 pid=1006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)

Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 12 Miroslav Grepl 2011-08-08 12:40:54 UTC

Could you try to execute 

# yum reinstall selinux-policy-targeted --enablerepo=updates-testing

and make sure nothinh blows up.

Comment 13 Richard Marko 2011-08-08 15:07:36 UTC

Still present, 3.9.16-37 installed.

Comment 14 MM Masaeli 2011-08-08 18:13:24 UTC

(In reply to comment #12)
> Could you try to execute 
> 
> # yum reinstall selinux-policy-targeted --enablerepo=updates-testing
> 
> and make sure nothinh blows up.

I executed this, but the problem still occurs!

Comment 15 Fedora Update System 2011-08-12 18:20:04 UTC

Package selinux-policy-3.9.16-38.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15
then log in and leave karma (feedback).

Comment 16 MM Masaeli 2011-08-13 09:04:00 UTC

The new package produces the bug after a restarting!
You van see the AVC below. Notice that policy Policy RPM is selinux-policy-3.9.16-38.fc15

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          Masood-laptop.Corpsedomain
Source RPM Packages           abrt-addon-kerneloops-2.0.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Masood-laptop.Corpsedomain
Platform                      Linux Masood-laptop.Corpsedomain
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   18
First Seen                    Sun 07 Aug 2011 11:41:53 PM IRDT
Last Seen                     Sat 13 Aug 2011 01:24:58 PM IRDT
Local ID                      dd7de24b-a90f-4268-b17f-4d3a879b4964

Raw Audit Messages
type=AVC msg=audit(1313225698.372:10): avc:  denied  { syslog_read } for  pid=1042 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1313225698.372:10): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=bf4090 a2=3fff a3=0 items=0 ppid=1 pid=1042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)

Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 17 Daniel Walsh 2011-08-15 11:03:04 UTC

Does 

restorecon -v /usr/bin/abrt-dump-oops 

Change the label of the program?

Comment 18 Oliver Henshaw 2011-08-15 11:47:05 UTC

# ls -Z /usr/bin/abrt-dump-oops 
-rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops
# restorecon -v /usr/bin/abrt-dump-oops
# ls -Z /usr/bin/abrt-dump-oops 
-rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops

Comment 19 Daniel Walsh 2011-08-15 12:15:52 UTC

Ok it looks like the back port did not happen.  

Miroslav can you recheck this.

Comment 20 emsatterlund 2011-08-16 23:26:29 UTC

My bug is fixed, I don't remember what I did to take care of it.  Thanks for the help.  Is there a way to delete this bug report so I no longer see it here?

Comment 21 emsatterlund 2011-08-16 23:26:50 UTC

My bug is fixed, I don't remember what I did to take care of it.  Thanks for the help.  Is there a way to delete this bug report so I no longer see it here?

Comment 22 Miroslav Grepl 2011-08-22 08:28:17 UTC

Definetely my fault. I did not change the label

# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 

will fix.

Comment 23 bugfinder 2011-08-22 08:42:09 UTC

chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument

Comment 24 MM Masaeli 2011-08-22 10:27:12 UTC

Bug finder is right.
My system says it too:
chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument

Comment 25 MM Masaeli 2011-08-22 10:39:58 UTC

But it fixed after executing these commands:
# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 
# grep chcon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 

but now a new SElinux alert appears here! I'm a little confused :p

Comment 26 Miroslav Grepl 2011-08-22 11:53:41 UTC

Typo, should be

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

Comment 27 Richard Marko 2011-08-23 12:14:43 UTC

Updating to selinux-policy-3.9.16-38.fc15 is not enought -

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

solves the problem.

Comment 28 Miroslav Grepl 2011-08-23 12:27:43 UTC

Yes,it will fix in selinux-policy-3.9.16-39.fc15

Comment 29 achmad 2011-08-27 07:46:45 UTC

it's helpfull

thanks in advance

Comment 30 Chris Trader 2011-09-06 03:36:24 UTC

I got this error while updating my system after a fresh install from LiveUSB.

Comment 31 Miroslav Grepl 2011-09-06 06:57:33 UTC

Yes, a new package will be available as an update soon.

For now, you can fix it using

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

Comment 32 Fedora Update System 2011-09-07 00:17:14 UTC

selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Richard Marko 2011-09-07 11:32:58 UTC

Not fixed in selinux-policy-3.9.16-38.fc15

Comment 34 Daniel Walsh 2011-09-07 18:26:00 UTC

What is not fixed?

What does matchpathcon /usr/bin/abrt-dump-oops

say?

Comment 35 Konstantin Svist 2011-09-07 22:02:33 UTC

Having same issue, selinux-policy-3.9.16-38.fc15

# matchpathcon /usr/bin/abrt-dump-oops
/usr/bin/abrt-dump-oops	system_u:object_r:abrt_helper_exec_t:s0

Comment 36 Miroslav Grepl 2011-09-08 11:41:13 UTC

How I wrote this is fixed in  selinux-policy-3.9.16-39.fc15.

# yum update selinux-policy --enablerepo=updates-testing

Comment 37 Donald Edward Winslow 2011-09-09 03:21:13 UTC

3.9.16-39 is not yet in updates-testing.

Comment 38 Miroslav Grepl 2011-09-09 05:27:59 UTC

If so, you can use the build from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=262145

Comment 39 Konstantin Svist 2011-09-13 15:28:22 UTC

appears fixed with 3.9.16-39.fc15

Comment 40 GoinEasy9 2011-09-13 23:28:49 UTC

I'm still getting the error with selinux-policy-3.9.16-39.fc15

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   70
First Seen                    Mon 18 Jul 2011 11:33:27 AM EDT
Last Seen                     Tue 13 Sep 2011 06:48:16 PM EDT
Local ID                      c62ad7b2-afd1-433c-90bd-8abfee80a956

Raw Audit Messages
type=AVC msg=audit(1315954096.657:13): avc:  denied  { syslog_read } for  pid=1197 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;


Using the work around, I get the error:

[root@fedora15kde13 GoinEasy9]# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@fedora15kde13 GoinEasy9]# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!

Comment 41 Miroslav Grepl 2011-09-14 05:31:39 UTC

restorecon -R -v /usr/bin/abrt-dump-oops

will fix it.

Comment 42 Richard Marko 2011-10-08 20:57:39 UTC

Fixed in selinux-policy-3.9.16-39.fc15 (now pushed to stable)

Test running fine, closing.