Description of problem: Deleting borked Fedora Rawhide from Gnome Boxes. SELinux is preventing gdb from using the 'ptrace' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gdb should be allowed ptrace access on processes labeled svirt_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:svirt_t:s0:c107,c945 Target Context unconfined_u:unconfined_r:svirt_t:s0:c107,c945 Target Objects Unknown [ process ] Source gdb Source Path gdb Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.13.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.7-200.fc22.x86_64 #1 SMP Mon Sep 14 20:19:24 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-09-25 10:30:02 PDT Last Seen 2015-09-25 10:30:02 PDT Local ID f2ee19d5-ca16-4c9a-b0f9-52601b046e8a Raw Audit Messages type=AVC msg=audit(1443202202.926:696): avc: denied { ptrace } for pid=15339 comm="gdb" scontext=unconfined_u:unconfined_r:svirt_t:s0:c107,c945 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c107,c945 tclass=process permissive=0 Hash: gdb,svirt_t,svirt_t,process,ptrace Version-Release number of selected component: selinux-policy-3.13.1-128.13.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.7-200.fc22.x86_64 type: libreport Potential duplicate: bug 883556
Seems strange to allow a process to ptrace itself when it is crashing. Does the kernel somehow launch gdb as a child of qemu?
I have no idea. I think that may something to do with that particular virtualized OS i.e. Fedora 23 Beta while other seems fine. Here is the journal report: Sep 26 10:04:55 muamba-telus1603 libvirtd[6397]: Unable to open vhost-net. Opened so far 0, requested 1 Sep 26 10:04:52 muamba-telus1603 libvirtd[6429]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6429]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6427]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6427]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6425]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6425]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_vbox.so not accessible Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_uml.so not accessible Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_lxc.so not accessible Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_libxl.so not accessible Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: Module /usr/lib64/libvirt/connection-driver/libvirt_driver_xen.so not accessible Sep 26 10:04:52 muamba-telus1603 libvirtd[6397]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6423]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6423]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6421]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6421]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6409]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6409]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6407]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6407]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6405]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6405]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6403]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6403]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6401]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6401]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6391]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6391]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora Sep 26 10:04:52 muamba-telus1603 libvirtd[6399]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6395]: Failed to acquire pid file '/run/user/1000/libvirt/libvirtd.pid': Resource temporarily unavailable Sep 26 10:04:52 muamba-telus1603 libvirtd[6395]: libvirt version: 1.2.13.1, package: 2.fc22 (Fedora Project, 2015-06-06-15:21:32, buildvm-13.phx2.fedora S
I do not understand how to reproduce the problem from Comment 0.
I do not see what gdb can do with an selinux limitation, selinux needs to permit that if that happens, whatever it is.
The ability for one process to read the process memory of a different process is definitely something we want to block. The problem here is the gdb gets launched as a child of the process rather then launced in a different context. Since qemu did not launch gdb some other app did, the kernel? If we understood how this happens maybe we could fix selinux to allow gdb to run with a different type giving it more privs.
Then we need to be able to reproduce it. (And then it will be an selinux-policy-targeted Bug I guess, not gdb's one.)
My desktop that had the issue got a fried power adapter. I am currently unable to reproduce the problem with my laptop. I will duplicate the newly installed rawhide within Gnome Boxes running on Fedora 23 and will let you know the result. Test was done with Fedora 22 running Gnome Boxes containing Fedora Rawhide.
Description of problem: In KVM I had saved a VM and when tried restoring the VM it could not be done. The VM is Fedora 22 and the VM has been alloted 4gb RAM and it occupies 4gb of RAM completely, the VM is running devstack. Version-Release number of selected component: selinux-policy-3.13.1-128.16.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.3-200.fc22.x86_64 type: libreport
No matter what component it should be GDB is not the one.
Could this be what is described in https://bugzilla.redhat.com/show_bug.cgi?id=1021795#c8 (libspice-server invoking /usr/bin/gstack) ?
(In reply to Christophe Fergeau from comment #10) > Could this be what is described in > https://bugzilla.redhat.com/show_bug.cgi?id=1021795#c8 (libspice-server > invoking /usr/bin/gstack) ? Apparently the fix failed to work. I am unable to reproduce the bug since then. All I did is norma activity like deleting a borked Rawhide from Gnome Boxes. Could it be a SPICE of something otherwise I have no idea how that happened.
*** This bug has been marked as a duplicate of bug 1021795 ***