1254188 – SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1254188 - SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.

Summary: SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a p...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Robert Krátký
URL:
Whiteboard:	abrt_hash:e6d10fcd6f18e995dfe405a4aef...
Depends On:	1245477 1276305 1276931
Blocks:	1270165 1295396
TreeView+	depends on / blocked

Reported:	2015-08-17 11:48 UTC by Jakub Filak
Modified:	2016-12-01 00:50 UTC (History)
CC List:	26 users (show)
Fixed In Version:	selinux-policy-3.13.1-66.el7
Doc Type:	Known Issue
Doc Text:	SELinux AVC generated when ABRT collects backtraces If the new, optional ABRT feature that allows collecting backtraces from crashed processes without the need to write a core-dump file to disk is enabled (using the CreateCoreBacktrace option in the /etc/abrt/plugins/CCpp.conf configuration file), an SELinux AVC message is generated when the "abrt-hook-ccpp" tool tries to use the sigchld access on a crashing process in order to get the list of functions on the process' stack.
Clone Of:	1245477
Environment:
Last Closed:	2016-11-04 02:20:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Jakub Filak 2015-08-17 11:48:57 UTC

+++ This bug was initially created as a clone of Bug #1245477 +++

Description of problem:
SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que abrt-hook-ccpp devrait être autorisé à accéder sigchld sur les processus étiquetés kernel_t par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ process ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.6.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.8-300.fc22.x86_64 #1 SMP Fri
                              Jul 10 21:04:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-07-22 09:21:44 CEST
Last Seen                     2015-07-22 09:21:44 CEST
Local ID                      d1a0744e-253d-4c1d-8daf-956f26b68141

Raw Audit Messages
type=AVC msg=audit(1437549704.396:995): avc:  denied  { sigchld } for  pid=18368 comm="abrt-hook-ccpp" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0


Hash: abrt-hook-ccpp,xdm_t,kernel_t,process,sigchld

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

Potential duplicate: bug 1242467

--- Additional comment from Johannes on 2015-07-26 18:13:58 CEST ---

Description of problem:
Fingerprint to access sudo

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

--- Additional comment from Jason Taylor on 2015-07-28 03:18:31 CEST ---

Description of problem:
installed all updates as of Monday, July 27th. After the updates started receiving this selinux issue.

Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch

Additional info:
reporter:       libreport-2.6.1
hashmarkername: setroubleshoot
kernel:         4.0.8-300.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-07-31 01:50:54 CEST ---

Description of problem:
gnome-shell crashed on a monitor attach event, then abrt crashed while processing that crash

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.2-200.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-08-05 01:50:47 CEST ---

Description of problem:
This often happens during the normal use of Firefox in Fedora 22.  No particular actions.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-200.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-08-05 12:28:22 CEST ---

Jakub,
what was our solution here?

--- Additional comment from Jakub Filak on 2015-08-05 12:51:13 CEST ---

(In reply to Miroslav Grepl from comment #5)
> Jakub,
> what was our solution here?

/usr/libexec/abrt-hook-ccpp is a core dumper used in /proc/sys/kernel/core_pattern.

Strating with abrt-2.6.1, abrt-hook-ccpp tries to ptrace(PTRACE_SEIZE, ..., PTRACE_O_TRACEEXIT) the process that is being dumped by kernel. It does that because we want to generate the crash backtrace before kernel unloads the process's memory. After we call ptrace() we have to waitpid() and check whether the ptrace action was successful.

If you want to trigger this functionality, just kill something with SIGABRT or run /usr/bin/will_segfault.

We did not notice any AVC when we were testing this feature.

--- Additional comment from Miroslav Grepl on 2015-08-05 16:13:58 CEST ---

Should we label it as abrt_helper_exec_t?

# chcon -t abrt_helper_exec_t /usr/libexec/abrt-hook-ccpp

--- Additional comment from H.W. on 2015-08-06 19:22:31 CEST ---

Description of problem:
Fedora Workstation 22 (x86-64) is installed as Guest in VMWare Workstation 10.0.7 (Hostsystem is Win 8.1 Enterprise, x86-64). I installed updates ("su" with pwd) with "dnf updates" in a terminal session. I get a SELinux Alert before the updates are complete finished.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from  on 2015-08-07 03:50:41 CEST ---

Description of problem:
installed a new copy of F22, all upgraded, no other appication installed other that gnome tweak tool.

Constantly comes up, and eventually crashed.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from H.W. on 2015-08-08 12:09:04 CEST ---

Description of problem:
Fedora 22 (x64) works as guest in a VMWare Workstation v10.0.7. Installed as "su" Adobe Flash Plugin in a terminal session with "dnf install adobe-release-x86_64-1.0-1.noarch.rpm" then "dnf install flash-plugin". After i close the terminal session with "exit" (su) and another "exit" (for the terminal session) i checked the installation in Firefox and closed the browser. Then i get a SELinux Alert and i am logged out.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-201.fc22.x86_64
type:           libreport

--- Additional comment from Miroslav Grepl on 2015-08-15 12:23:14 CEST ---



--- Additional comment from Miroslav Grepl on 2015-08-15 13:26:57 CEST ---

(In reply to Miroslav Grepl from comment #7)
> Should we label it as abrt_helper_exec_t?
> 
> # chcon -t abrt_helper_exec_t /usr/libexec/abrt-hook-ccpp

Ok we probably need to add another ABRT domain - either abrt_dump_oops_t or a new one. The point is this new domain will need to ptrace random domains and will require sigchld.

--- Additional comment from Miroslav Grepl on 2015-08-15 17:51:55 CEST ---



--- Additional comment from Miroslav Grepl on 2015-08-15 17:54:30 CEST ---

Lukas,
it works with

$ cat myabrt.cil

(block abrt_dump_oops_t)
(block kernel_t)

(in kernel_t
    (optional kernel_optional_abrt
    (call domtrans_pattern (kernel_t abrt_dump_oops_exec_t abrt_dump_oops_t))))

(in abrt_dump_oops_t
    (allow abrt_dump_oops_t self (capability (kill net_admin sys_ptrace)))
    (allow abrt_dump_oops_t proc_security_t (file (getattr read open)))
    (call domain_ptrace_all_domains (abrt_dump_oops_t))
    (call domain_read_all_domains_state (abrt_dump_oops_t))
    (call domain_signull_all_domains (abrt_dump_oops_t)))

Comment 2 Lukas Vrabec 2015-08-19 08:15:02 UTC

commit 4aa1c3baa40ee46f933be6ae46d8ead33b1e7bc8
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 17:57:21 2015 +0200

    Allow kernel_t domtrans to abrt_dump_oops_t

commit 6ed1233656a984f3a25b16eba149ea48c423393b
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 18:00:41 2015 +0200

    Allow abrt_dump_oops_t to read proc_security_t files.

commit 7c8b04988b7520e41b912153b262eb38ae48c292
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 17:55:18 2015 +0200

    Allow abrt_dump_oops to signull all domains
    Allow abrt_dump_oops to read all domains state
    Allow abrt_dump_oops to ptrace all domains

commit 6bba8d31a4f39875b6d0e55eea7388bee5cefd0d
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 17:54:57 2015 +0200

    Add interface abrt_dump_oops_domtrans()

Comment 9 Miroslav Vadkerti 2015-10-05 14:47:59 UTC

Moving back to correct state

Comment 12 Lukas Vrabec 2015-10-08 10:37:41 UTC

We need to allow in kernel_read_security_state() also list_dir_perms on sysctl_fs_t. I have prepared fix, will test it and then add fix to distgit.

Comment 13 Miroslav Grepl 2015-10-08 10:38:45 UTC

We should allow to search all sysctls.

Comment 27 Lukas Vrabec 2016-03-10 13:36:03 UTC

I back port all changes from Fedora related to this issue.

Comment 28 Mike McCune 2016-03-28 22:59:28 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 32 errata-xmlrpc 2016-11-04 02:20:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.

autarch
bztdlinux
dominick.grift
dwalsh
edosurina
extras-qa
frankk74
geezuslucifer
japan
jberan
jfilak
jsmith.fedora
jtfas90
karsonijunior
lantw44
lmiksik
lvrabec
mgrepl
mkyral
mmalik
mvadkert
plautrba
pvrabec
rehol3
rkratky
ssekidde