Bug 1266582 - SELinux is preventing gdb from using the 'ptrace' accesses on a process.
Summary: SELinux is preventing gdb from using the 'ptrace' accesses on a process.
Keywords:
Status: CLOSED DUPLICATE of bug 1021795
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:24ca97bace046cbd7386f689964...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-25 17:32 UTC by Luya Tshimbalanga
Modified: 2016-03-17 15:10 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-17 15:10:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Luya Tshimbalanga 2015-09-25 17:32:32 UTC 
Description of problem:
Deleting borked Fedora Rawhide from Gnome Boxes.
SELinux is preventing gdb from using the 'ptrace' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gdb should be allowed ptrace access on processes labeled svirt_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c107,c945
Target Context                unconfined_u:unconfined_r:svirt_t:s0:c107,c945
Target Objects                Unknown [ process ]
Source                        gdb
Source Path                   gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.13.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.7-200.fc22.x86_64 #1 SMP Mon
                              Sep 14 20:19:24 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-25 10:30:02 PDT
Last Seen                     2015-09-25 10:30:02 PDT
Local ID                      f2ee19d5-ca16-4c9a-b0f9-52601b046e8a

Raw Audit Messages
type=AVC msg=audit(1443202202.926:696): avc:  denied  { ptrace } for  pid=15339 comm="gdb" scontext=unconfined_u:unconfined_r:svirt_t:s0:c107,c945 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c107,c945 tclass=process permissive=0


Hash: gdb,svirt_t,svirt_t,process,ptrace

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-200.fc22.x86_64
type:           libreport

Potential duplicate: bug 883556
Comment 1 Daniel Walsh 2015-09-25 21:08:09 UTC 
Seems strange to allow a process to ptrace itself when it is crashing. Does the kernel somehow launch gdb as a child of qemu?
Comment 2 Luya Tshimbalanga 2015-09-26 17:09:12 UTC 
I have no idea. I think that may something to do with that particular virtualized OS i.e. Fedora 23 Beta while other seems fine. Here is the journal report:

Sep 26 10:04:55 muamba-telus1603 libvirtd[6397]: Unable to open vhost-net. Opened so far 0, requested 1
Sep 26 10:04:52 muamba-telus1603 libvirtd[6429]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6429]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6427]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6427]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6425]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6425]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_vbox.so not accessible
Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_uml.so not accessible
Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_lxc.so not accessible
Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_libxl.so not accessible
Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_xen.so not accessible
Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6423]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6423]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6421]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6421]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6409]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6409]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6407]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6407]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6405]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6405]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6403]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6403]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6401]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6401]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6391]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6391]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
Sep 26 10:04:52 muamba-telus1603 libvirtd[6399]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6395]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable
Sep 26 10:04:52 muamba-telus1603 libvirtd[6395]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora
S
Comment 3 Jan Kratochvil 2015-10-12 16:59:30 UTC 
I do not understand how to reproduce the problem from Comment 0.
Comment 4 Jan Kratochvil 2015-10-12 17:00:35 UTC 
I do not see what gdb can do with an selinux limitation, selinux needs to permit that if that happens, whatever it is.
Comment 5 Daniel Walsh 2015-10-13 22:17:42 UTC 
The ability for one process to read the process memory of a different process is definitely something we want to block.  The problem here is the gdb gets launched as a child of the process rather then launced in a different context.  Since qemu did not launch gdb some other app did, the kernel?  If we understood how this happens maybe we could fix selinux to allow gdb to run with a different type giving it more privs.
Comment 6 Jan Kratochvil 2015-10-14 06:04:34 UTC 
Then we need to be able to reproduce it.  (And then it will be an selinux-policy-targeted Bug I guess, not gdb's one.)
Comment 7 Luya Tshimbalanga 2015-10-27 18:35:36 UTC 
My desktop that had the issue got a fried power adapter. I am currently unable to reproduce the problem with my laptop. I will duplicate the newly installed rawhide within Gnome Boxes running on Fedora 23 and will let you know the result. Test was done with Fedora 22 running Gnome Boxes containing Fedora Rawhide.
Comment 8 Suraj Deshmukh 2015-11-01 04:22:57 UTC 
Description of problem:
In KVM I had saved a VM and when tried restoring the VM it could not be done. The VM is Fedora 22 and the VM has been alloted 4gb RAM and it occupies 4gb of RAM completely, the VM is running devstack.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport
Comment 9 Jan Kratochvil 2015-11-01 06:42:40 UTC 
No matter what component it should be GDB is not the one.
Comment 10 Christophe Fergeau 2015-11-02 11:57:05 UTC 
Could this be what is described in https://bugzilla.redhat.com/show_bug.cgi?id=1021795#c8 (libspice-server invoking /usr/bin/gstack) ?
Comment 11 Luya Tshimbalanga 2015-11-02 17:05:15 UTC 
(In reply to Christophe Fergeau from comment #10)
> Could this be what is described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1021795#c8 (libspice-server
> invoking /usr/bin/gstack) ?

Apparently the fix failed to work. I am unable to reproduce the bug since then. All I did is norma activity like deleting a borked Rawhide from Gnome Boxes. Could it be a SPICE of something otherwise I have no idea how that happened.
Comment 12 Cole Robinson 2016-03-17 15:10:52 UTC 

*** This bug has been marked as a duplicate of bug 1021795 ***
Note You need to log in before you can comment on or make changes to this bug.