Bug 1002637 - SELinux is preventing /usr/bin/bash from 'read' accesses on the directory /var/crash.
SELinux is preventing /usr/bin/bash from 'read' accesses on the directory /va...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:71bc97d2623797e45a5462bb930...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-29 11:58 EDT by David Juran
Modified: 2013-09-07 20:36 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-07 20:36:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Juran 2013-08-29 11:58:30 EDT
Description of problem:
I noticed that abrt wasn't catching crashes and /proc/sys/kernel/core_pattern wan't set to let abrt catch anything. So I tried restarting abrtd (systemctl restart abrtd.service) and got this AVC
SELinux is preventing /usr/bin/bash from 'read' accesses on the directory /var/crash.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed read access on the crash directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-harvest-vm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:kdump_crash_t:s0
Target Objects                /var/crash [ dir ]
Source                        abrt-harvest-vm
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.2.45-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed
                              Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-08-26 10:11:27 CEST
Last Seen                     2013-08-29 15:23:33 CEST
Local ID                      7437c667-0663-4a81-9859-98f4e3559381

Raw Audit Messages
type=AVC msg=audit(1377782613.645:1509): avc:  denied  { read } for  pid=30833 comm="abrt-harvest-vm" name="crash" dev="dm-0" ino=16252933 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kdump_crash_t:s0 tclass=dir


type=SYSCALL msg=audit(1377782613.645:1509): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4a7ef7 a2=90800 a3=0 items=0 ppid=1 pid=30833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=abrt-harvest-vm exe=/usr/bin/bash subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: abrt-harvest-vm,abrt_t,kdump_crash_t,dir,read

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2013-09-03 05:03:14 EDT
commit df0e95750a4e1bfcd86ea636e395f7eab93a2963
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Sep 3 11:03:01 2013 +0200

    Fix kdump_read_crash() interface
Comment 2 Fedora Update System 2013-09-03 15:57:15 EDT
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19
Comment 3 Fedora Update System 2013-09-04 21:38:44 EDT
Package selinux-policy-3.12.1-74.1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-09-07 20:36:43 EDT
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.