Bug 739883
| Summary: | SELinux is preventing /usr/sbin/abrtd from 'create' access on the lnk_file .lock | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Nowak <mnowak> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | dwalsh, mmalik, nobody+abrt-devel-list, ohudlick |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | abrt_hash:bb6a870a99e5fe637767231e2a05211bf363470d3d6253b821ce763ec541fa8a | ||
| Fixed In Version: | selinux-policy-3.7.19-113.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 10:19:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 671354 | ||
I set DumpLocation = /tmp/abrt and let abrt to create the dir. It got following context: drwxr-xr-x. abrt abrt unconfined_u:object_r:abrt_tmp_t:s0 /tmp/abrt When I crashed app and waited for being processed, I got AVC (comment #0) and following in /var/log/messages: abrtd: Can't access '/tmp/abrt/ccpp-2011-09-20-12:24:39-27545': Permission denied abrtd: Corrupted or bad dump /tmp/abrt/ccpp-2011-09-20-12:24:39-27545 (res:2), deleting abrtd: Can't access '/tmp/abrt/ccpp-2011-09-20-12:24:39-27545': Permission denied setroubleshoot: SELinux is preventing /usr/sbin/abrtd from create access on the lnk_file .lock. For complete SELinux messages. run sealert -l 9fc886dd-810b-4b02-a7e2-35869a9604a9 setroubleshoot: SELinux is preventing /usr/sbin/abrtd from create access on the lnk_file .lock. For complete SELinux messages. run sealert -l 9fc886dd-810b-4b02-a7e2-35869a9604a9 Well, this is not the default location and in this case when you change the default location, you need to allow it using a local policy. I could add this to the default policy but I don't like idea to have it in the /tmp dir. (In reply to comment #3) > Well, this is not the default location and in this case when you change the > default location, you need to allow it using a local policy. > > I could add this to the default policy but I don't like idea to have it in the > /tmp dir. - Sure, it was caused by lack of documentation, we need to warn users, that this will happen if they change the defaults and they have to take care about it themselves... Miroslav lets add manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) If we allow the creation of the file and directory not much reason to prevent the link. I am fine with that. I just wanted to let know ABRT guyes, it should be probably documented. I mean DumpLocation = /tmp/abrt Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
abrt version: 2.0.5 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 2.6.32-198.el6.x86_64 reason: SELinux is preventing /usr/sbin/abrtd from 'create' accesses on the lnk_file .lock. time: Tue Sep 20 12:33:22 2011 description: :SELinux is preventing /usr/sbin/abrtd from 'create' accesses on the lnk_file .lock. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that abrtd should be allowed create access on the .lock lnk_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep abrtd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 :Target Context unconfined_u:object_r:abrt_tmp_t:s0 :Target Objects .lock [ lnk_file ] :Source abrtd :Source Path /usr/sbin/abrtd :Port <Unknown> :Host (removed) :Source RPM Packages abrt-2.0.4-10.el6 :Target RPM Packages :Policy RPM selinux-policy-3.7.19-110.el6 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 2.6.32-198.el6.x86_64 #1 SMP Thu Sep 15 23:40:38 : EDT 2011 x86_64 x86_64 :Alert Count 2 :First Seen Tue 20 Sep 2011 12:25:15 PM CEST :Last Seen Tue 20 Sep 2011 12:25:15 PM CEST :Local ID 9fc886dd-810b-4b02-a7e2-35869a9604a9 : :Raw Audit Messages :type=AVC msg=audit(1316514315.268:2195): avc: denied { create } for pid=27543 comm="abrtd" name=".lock" scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:abrt_tmp_t:s0 tclass=lnk_file : : :type=SYSCALL msg=audit(1316514315.268:2195): arch=x86_64 syscall=symlink success=no exit=EACCES a0=7fff2365a210 a1=7fff2365a1b0 a2=353435 a3=fffffffffffffff0 items=0 ppid=1 pid=27543 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=abrtd exe=/usr/sbin/abrtd subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) : :Hash: abrtd,abrt_t,abrt_tmp_t,lnk_file,create : :audit2allow : :#============= abrt_t ============== :allow abrt_t abrt_tmp_t:lnk_file create; : :audit2allow -R : :#============= abrt_t ============== :allow abrt_t abrt_tmp_t:lnk_file create; :