Bug 1254188 - SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.
SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a p...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Robert Krátký
abrt_hash:e6d10fcd6f18e995dfe405a4aef...
:
Depends On: 1245477 1276305 1276931
Blocks: 1270165 1295396
  Show dependency treegraph
 
Reported: 2015-08-17 07:48 EDT by Jakub Filak
Modified: 2016-11-30 19:50 EST (History)
26 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-66.el7
Doc Type: Known Issue
Doc Text:
SELinux AVC generated when ABRT collects backtraces If the new, optional ABRT feature that allows collecting backtraces from crashed processes without the need to write a core-dump file to disk is enabled (using the *CreateCoreBacktrace* option in the */etc/abrt/plugins/CCpp.conf* configuration file), an SELinux AVC message is generated when the "abrt-hook-ccpp" tool tries to use the *sigchld* access on a crashing process in order to get the list of functions on the process' stack.
Story Points: ---
Clone Of: 1245477
Environment:
Last Closed: 2016-11-03 22:20:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Filak 2015-08-17 07:48:57 EDT
+++ This bug was initially created as a clone of Bug #1245477 +++

Description of problem:
SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que abrt-hook-ccpp devrait être autorisé à accéder sigchld sur les processus étiquetés kernel_t par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ process ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.6.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.8-300.fc22.x86_64 #1 SMP Fri
                              Jul 10 21:04:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-07-22 09:21:44 CEST
Last Seen                     2015-07-22 09:21:44 CEST
Local ID                      d1a0744e-253d-4c1d-8daf-956f26b68141

Raw Audit Messages
type=AVC msg=audit(1437549704.396:995): avc:  denied  { sigchld } for  pid=18368 comm="abrt-hook-ccpp" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0


Hash: abrt-hook-ccpp,xdm_t,kernel_t,process,sigchld

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

Potential duplicate: bug 1242467

--- Additional comment from Johannes on 2015-07-26 18:13:58 CEST ---

Description of problem:
Fingerprint to access sudo

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

--- Additional comment from Jason Taylor on 2015-07-28 03:18:31 CEST ---

Description of problem:
installed all updates as of Monday, July 27th. After the updates started receiving this selinux issue.

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-07-31 01:50:54 CEST ---

Description of problem:
gnome-shell crashed on a monitor attach event, then abrt crashed while processing that crash

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.2-200.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-08-05 01:50:47 CEST ---

Description of problem:
This often happens during the normal use of Firefox in Fedora 22.  No particular actions.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-200.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-08-05 12:28:22 CEST ---

Jakub,
what was our solution here?

--- Additional comment from Jakub Filak on 2015-08-05 12:51:13 CEST ---

(In reply to Miroslav Grepl from comment #5)
> Jakub,
> what was our solution here?

/usr/libexec/abrt-hook-ccpp is a core dumper used in /proc/sys/kernel/core_pattern.

Strating with abrt-2.6.1, abrt-hook-ccpp tries to ptrace(PTRACE_SEIZE, ..., PTRACE_O_TRACEEXIT) the process that is being dumped by kernel. It does that because we want to generate the crash backtrace before kernel unloads the process's memory. After we call ptrace() we have to waitpid() and check whether the ptrace action was successful.

If you want to trigger this functionality, just kill something with SIGABRT or run /usr/bin/will_segfault.

We did not notice any AVC when we were testing this feature.

--- Additional comment from Miroslav Grepl on 2015-08-05 16:13:58 CEST ---

Should we label it as abrt_helper_exec_t?

# chcon -t abrt_helper_exec_t /usr/libexec/abrt-hook-ccpp

--- Additional comment from H.W. on 2015-08-06 19:22:31 CEST ---

Description of problem:
Fedora Workstation 22 (x86-64) is installed as Guest in VMWare Workstation 10.0.7 (Hostsystem is Win 8.1 Enterprise, x86-64). I installed updates ("su" with pwd) with "dnf updates" in a terminal session. I get a SELinux Alert before the updates are complete finished.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-08-07 03:50:41 CEST ---

Description of problem:
installed a new copy of F22, all upgraded, no other appication installed other that gnome tweak tool.

Constantly comes up, and eventually crashed.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from H.W. on 2015-08-08 12:09:04 CEST ---

Description of problem:
Fedora 22 (x64) works as guest in a VMWare Workstation v10.0.7. Installed as "su" Adobe Flash Plugin in a terminal session with "dnf install adobe-release-x86_64-1.0-1.noarch.rpm" then "dnf install flash-plugin". After i close the terminal session with "exit" (su) and another "exit" (for the terminal session) i checked the installation in Firefox and closed the browser. Then i get a SELinux Alert and i am logged out.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-08-15 12:23:14 CEST ---



--- Additional comment from Miroslav Grepl on 2015-08-15 13:26:57 CEST ---

(In reply to Miroslav Grepl from comment #7)
> Should we label it as abrt_helper_exec_t?
> 
> # chcon -t abrt_helper_exec_t /usr/libexec/abrt-hook-ccpp

Ok we probably need to add another ABRT domain - either abrt_dump_oops_t or a new one. The point is this new domain will need to ptrace random domains and will require sigchld.

--- Additional comment from Miroslav Grepl on 2015-08-15 17:51:55 CEST ---



--- Additional comment from Miroslav Grepl on 2015-08-15 17:54:30 CEST ---

Lukas,
it works with

$ cat myabrt.cil

(block abrt_dump_oops_t)
(block kernel_t)

(in kernel_t
    (optional kernel_optional_abrt
    (call domtrans_pattern (kernel_t abrt_dump_oops_exec_t abrt_dump_oops_t))))

(in abrt_dump_oops_t
    (allow abrt_dump_oops_t self (capability (kill net_admin sys_ptrace)))
    (allow abrt_dump_oops_t proc_security_t (file (getattr read open)))
    (call domain_ptrace_all_domains (abrt_dump_oops_t))
    (call domain_read_all_domains_state (abrt_dump_oops_t))
    (call domain_signull_all_domains (abrt_dump_oops_t)))
Comment 2 Lukas Vrabec 2015-08-19 04:15:02 EDT
commit 4aa1c3baa40ee46f933be6ae46d8ead33b1e7bc8
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Aug 18 17:57:21 2015 +0200

    Allow kernel_t domtrans to abrt_dump_oops_t

commit 6ed1233656a984f3a25b16eba149ea48c423393b
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Aug 18 18:00:41 2015 +0200

    Allow abrt_dump_oops_t to read proc_security_t files.

commit 7c8b04988b7520e41b912153b262eb38ae48c292
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Aug 18 17:55:18 2015 +0200

    Allow abrt_dump_oops to signull all domains
    Allow abrt_dump_oops to read all domains state
    Allow abrt_dump_oops to ptrace all domains

commit 6bba8d31a4f39875b6d0e55eea7388bee5cefd0d
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Aug 18 17:54:57 2015 +0200

    Add interface abrt_dump_oops_domtrans()
Comment 9 Miroslav Vadkerti 2015-10-05 10:47:59 EDT
Moving back to correct state
Comment 12 Lukas Vrabec 2015-10-08 06:37:41 EDT
We need to allow in kernel_read_security_state() also list_dir_perms on sysctl_fs_t. I have prepared fix, will test it and then add fix to distgit.
Comment 13 Miroslav Grepl 2015-10-08 06:38:45 EDT
We should allow to search all sysctls.
Comment 27 Lukas Vrabec 2016-03-10 08:36:03 EST
I back port all changes from Fedora related to this issue.
Comment 28 Mike McCune 2016-03-28 18:59:28 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 32 errata-xmlrpc 2016-11-03 22:20:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.