| Summary: | SELinux is preventing abrt-dump-oops from 'open' accesses on the fichier /var/log/messages. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | alezflute, blackcode, chrys87, dominick.grift, dwalsh, etnomax, evfirerob, fedora, firejim, flama.es, gregory.r.bryant, jeroen, jonathangraham82, josian2200, JWRobin3, larieu, mads, mauricephilips, melanphos, mgrepl, nberrehouc, nicolas.mailhot, pablo.castellazzi, pratyush.a.sahay, puglieseweb, ramayu_sr17, renich, rtekel, stedchris, stressfreechozeme, trevor, vikigoyal |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:054c6b1de43c4bff86617a509bf225a74ff156e2439609d4e28379edb392a825 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-07 20:27:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Fixed in selinux-policy-3.10.0-6.fc16 I got this in f15. "closed rawhide" seems a bit conservative - I hope it soon will be pushed to f15 too. (AFAIK that is how you handle se policies anyway.) Yes, I am backporting abrt-dump-oops policy to F15 which will fix it. I still see this with selinux-policy-targeted-3.9.16-39.fc15.noarch abrt-addon-kerneloops-2.0.3-3.fc15.i686 because of a wrong label on /usr/bin/abrt-dump-oops ; context system_u:object_r:abrt_helper_exec_t:s0->system_u:object_r:abrt_dump_oops_exec_t:s0 I would expect that the file was relabelled automatically when the policy was installed. Isn't that how it should be? I started getting this again since yesterday after I ran yum update (there were a few abrt updates). (In reply to comment #5) > I started getting this again since yesterday after I ran yum update (there were > a few abrt updates). I too am getting it with the new update. Could you add the raw AVC msg which you are getting? SELinux is preventing /usr/bin/abrt-dump-oops from 'open' accesses on the file /var/log/messages.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that abrt-dump-oops should be allowed open access on the messages file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:abrt_helper_t:s0
Target Context unconfined_u:object_r:var_log_t:s0
Target Objects /var/log/messages [ file ]
Source abrt-dump-oops
Source Path /usr/bin/abrt-dump-oops
Port <Unknown>
Host (removed)
Source RPM Packages abrt-addon-kerneloops-2.0.3-4.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-38.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 2.6.40.4-5.fc15.i686 #1 SMP Tue
Aug 30 14:54:41 UTC 2011 i686 i686
Alert Count 1
First Seen Mon 03 Oct 2011 08:11:02 PM IST
Last Seen Mon 03 Oct 2011 08:11:02 PM IST
Local ID 537dd6ad-2941-4b6b-b361-08f1e4f7dcb6
Raw Audit Messages
type=AVC msg=audit(1317652862.80:33273): avc: denied { open } for pid=14256 comm="abrt-dump-oops" name="messages" dev=sda3 ino=1330 scontext=system_u:system_r:abrt_helper_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1317652862.80:33273): arch=i386 syscall=open success=yes exit=EINTR a0=bf9cff7e a1=8000 a2=0 a3=83700a8 items=0 ppid=1 pid=14256 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)
Hash: abrt-dump-oops,abrt_helper_t,var_log_t,file,open
audit2allow
#============= abrt_helper_t ==============
allow abrt_helper_t var_log_t:file open;
audit2allow -R
#============= abrt_helper_t ==============
allow abrt_helper_t var_log_t:file open;
Mislabeled again? restorecon -n -v /usr/bin/abrt-dump-oops Should fix, if it does not, please reopen this bug. I get another SELinux alert after running restorecon.
Raw Audit Messages
type=AVC msg=audit(1317658841.661:33994): avc: denied { syslog_read } for pid=16015 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1317658841.661:33994): arch=i386 syscall=syslog success=yes exit=16383 a0=3 a1=91a70a8 a2=3fff a3=0 items=0 ppid=1 pid=16015 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)
ls -lZ /usr/bin/abrt-dump-oops -rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops # matchpathcon /usr/bin/abrt-dump-oops # rpm -q selinux-policy Also try to reinstall the policy and make sure nothing blows up # yum reinstall selinux-policy-targeted selinux-policy-3.9.16-38.fc15.noarch I reinstalled selinux-policy and the problem persists. [root@workstation ~]# matchpathcon /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops system_u:object_r:abrt_helper_exec_t:s0 [root@workstation ~]# rpm -q selinux-policy selinux-policy-3.9.16-38.fc15.noarch [root@workstation init.d]# [root@workstation ~]# matchpathcon /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops system_u:object_r:abrt_helper_exec_t:s0 [root@workstation ~]# rpm -q selinux-policy selinux-policy-3.9.16-38.fc15.noarch [root@workstation ~]# Ok, # yum update selinux-policy --enablerepo=updates-testing # matchpathcon /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops system_u:object_r:abrt_dump_oops_exec_t:s0 It seems to be fixed. I didn't get any alerts this time. This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
SELinux is preventing abrt-dump-oops from 'open' accesses on the fichier /var/log/messages. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that abrt-dump-oops should be allowed open access on the messages file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/messages [ file ] Source abrt-dump-oops Source Path abrt-dump-oops Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-4.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.0-0.rc7.git3.1.fc16.x86_64 #1 SMP Fri Jul 15 22:56:12 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen dim. 17 juil. 2011 19:06:24 CEST Last Seen dim. 17 juil. 2011 19:06:24 CEST Local ID dc5342af-60f6-4999-93d2-2af11a1f0140 Raw Audit Messages type=AVC msg=audit(1310922384.573:600): avc: denied { open } for pid=1269 comm="abrt-dump-oops" name="messages" dev=dm-1 ino=7058 scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file Hash: abrt-dump-oops,abrt_helper_t,var_log_t,file,open audit2allow #============= abrt_helper_t ============== allow abrt_helper_t var_log_t:file open; audit2allow -R #============= abrt_helper_t ============== allow abrt_helper_t var_log_t:file open;