Red Hat Bugzilla – Bug 1284967
SELinux is preventing abrt-dump-xorg from 'execute' accesses on the file /usr/bin/Xorg.
Last modified: 2016-02-16 22:50:25 EST
Description of problem: SELinux is preventing abrt-dump-xorg from 'execute' accesses on the file /usr/bin/Xorg. ***** Plugin catchall (100. confidence) suggests ************************** If вы считаете, что abrt-dump-xorg следует разрешить доступ execute к Xorg file по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep abrt-dump-xorg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_dump_oops_t:s0 Target Context system_u:object_r:xserver_exec_t:s0 Target Objects /usr/bin/Xorg [ file ] Source abrt-dump-xorg Source Path abrt-dump-xorg Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages xorg-x11-server-Xorg-1.18.0-2.fc23.x86_64 Policy RPM selinux-policy-3.13.1-154.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.6-300.fc23.x86_64 #1 SMP Tue Nov 10 19:32:21 UTC 2015 x86_64 x86_64 Alert Count 8 First Seen 2015-11-16 12:23:11 CET Last Seen 2015-11-21 06:36:15 CET Local ID a99b633b-5f04-46f9-90f6-86a5c2aa68b7 Raw Audit Messages type=AVC msg=audit(1448084175.544:522): avc: denied { execute } for pid=2583 comm="abrt-dump-xorg" name="Xorg" dev="sda4" ino=1975947 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:xserver_exec_t:s0 tclass=file permissive=0 Hash: abrt-dump-xorg,abrt_dump_oops_t,xserver_exec_t,file,execute Version-Release number of selected component: selinux-policy-3.13.1-154.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-300.fc23.x86_64 type: libreport
A new functionality?
Yes, we test if /usr/bin/Xorg has X attribute to make sure the found backtrace was produced by that program: https://github.com/abrt/abrt/blob/master/src/plugins/xorg-utils.c#L106
commit acae975716c88fc93d8a11d0ed1c8bd5c6c188f4 Author: Lukas Vrabec <lvrabec@redhat.com> Date: Mon Feb 8 11:11:17 2016 +0100 Allow abrt_dump_oops_t to check permissions for a /usr/bin/Xorg. rhbz#1284967 AVC caused by this line in abrt: https://github.com/abrt/abrt/blob/master/src/plugins/xorg-utils.c#L107
selinux-policy-3.13.1-158.6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-36a160982c
selinux-policy-3.13.1-158.6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-36a160982c
selinux-policy-3.13.1-158.6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.