Bug 1263717 - avc: denied { execmem } for comm="spacewalk-abrt"
avc: denied { execmem } for comm="spacewalk-abrt"
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
25
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
: 1398376 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-16 09:44 EDT by Pavel Studeník
Modified: 2017-01-31 10:40 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pavel Studeník 2015-09-16 09:44:43 EDT
Description of problem:
I find avc messages for spacewalk abrt on Fedora 22

----
time->Sun Sep 13 19:39:51 2015
type=AVC msg=audit(1442187591.812:1655): avc:  denied  { execmem } for  pid=30860 comm="spacewalk-abrt" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Sun Sep 13 19:39:53 2015
type=AVC msg=audit(1442187593.915:1657): avc:  denied  { sigchld } for  pid=30869 comm="abrt-hook-ccpp" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0
----
time->Sun Sep 13 19:40:05 2015
type=AVC msg=audit(1442187605.891:1658): avc:  denied  { execmem } for  pid=31022 comm="spacewalk-abrt" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=process permissive=0


Version-Release number of selected component (if applicable):
spacewalk-selinux-2.3.2-1.fc22.noarch


How reproducible:
always on fedora 22
Comment 1 Milos Malik 2015-09-24 09:57:31 EDT
Following local policy solved the problem. SELinux denials and segfaults do not appear anymore.

# cat mypolicy.te 
policy_module(mypolicy, 1.0)

require {
  type abrt_t;
  type kernel_t;
  class process { execmem sigchld };
}

allow abrt_t abrt_t : process { execmem };
allow abrt_t kernel_t : process { sigchld };
#
Comment 2 Pavel Studeník 2016-10-07 08:29:03 EDT
Problem with selinux still exists on Fedora 24

time->Thu Oct  6 19:01:26 2016
type=AVC msg=audit(1475794886.859:821): avc:  denied  { write } for  pid=2789 comm="spacewalk-abrt" name="spacewalk_abrt" dev="dm-0" ino=9068401 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
----
time->Thu Oct  6 19:01:26 2016
type=AVC msg=audit(1475794886.869:822): avc:  denied  { execmem } for  pid=2789 comm="spacewalk-abrt" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=process permissive=0
----

package: selinux-policy-3.13.1-191.17.fc24.noarch
Comment 3 Tomas Lestach 2016-10-07 10:31:09 EDT
Pavel, do you see these selinux denials on the Spacewalk server or on the client system registered to Spacewalk?
Comment 4 Pavel Studeník 2017-01-31 05:33:22 EST
We still see this problem in our automation on Fedora 24.

time->Mon Jan 30 12:44:54 2017
type=AVC msg=audit(1485798294.573:1032): avc:  denied  { execmem } for  pid=9475 comm="spacewalk-abrt" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=process permissive=0
Comment 5 Pavel Studeník 2017-01-31 05:33:53 EST
*** Bug 1398376 has been marked as a duplicate of this bug. ***
Comment 7 Pavel Studeník 2017-01-31 06:58:46 EST
Problem is only on client side with spacewalk-abrt.

Reproducer from Bug 1398376

Steps to Reproduce:
0. install spacewalk-abrt 
1. abrt-auto-reporting enabled
2. run abrt service - systemctl restart abrt-oops abrt-ccpp abrtd
3. produce event for abrt (kill -s SEGV)
Comment 9 Pavel Studeník 2017-01-31 08:45:18 EST
Same AVC message on Fedora 25 - only client side.

type=AVC msg=audit(1485870209.555:188): avc:  denied  { execmem } for  pid=3609 comm="spacewalk-abrt" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=process permissive=0

Note You need to log in before you can comment on or make changes to this bug.