1300334 – SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.

Bug 1300334 - SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.

Summary: SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Other
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:ada9ddb78617a6e6e2e35b6a1db...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-20 13:41 UTC by P. A. López-Valencia
Modified:	2016-03-23 16:57 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-170.fc24 selinux-policy-3.13.1-179.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-23 16:57:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description P. A. López-Valencia 2016-01-20 13:41:46 UTC

Description of problem:
SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, abrt-hook-ccpp debería permitir acceso getattr sobre  file file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:nsfs_t:s0
Target Objects                file [ file ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-167.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc0.git1.1.fc24.x86_64 #1
                              SMP Tue Jan 12 20:40:44 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-01-20 07:36:44 COT
Last Seen                     2016-01-20 08:39:15 COT
Local ID                      c092c1fb-efc3-4318-a81e-1b452f10c70e

Raw Audit Messages
type=AVC msg=audit(1453297155.259:630): avc:  denied  { getattr } for  pid=3257 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1


Hash: abrt-hook-ccpp,abrt_dump_oops_t,nsfs_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-167.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git1.1.fc24.x86_64
type:           libreport

Comment 1 P. A. López-Valencia 2016-01-20 13:47:07 UTC

It also happens in targeted mode, but at least I can report it now.

Comment 2 Jared Smith 2016-01-20 13:51:25 UTC

Description of problem:
Rebooted my machine, and saw the alert.

Version-Release number of selected component:
selinux-policy-3.13.1-167.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git1.1.fc24.x86_64
type:           libreport

Comment 3 Miroslav Grepl 2016-01-21 08:21:43 UTC

We added NSFS support which causes this issue.

Comment 4 Lukas Vrabec 2016-01-21 16:01:39 UTC

Hi, 
Could you do following: 
1. #semanage permissive -a abrt_dump_oops_t
2. reproduce issue
3. ausearch -m AVC -ts recent 
4. attach AVC msgs
5. #semanage permissive -d abrt_dump_oops_t


Thank you.

Comment 5 P. A. López-Valencia 2016-01-21 19:23:24 UTC

I saw your message after upgrading to selinux-policy-3.13.1-168.fc24...

The error has repeated itself once and it's as follows:

----
time->Thu Jan 21 13:08:28 2016
type=AVC msg=audit(1453399708.072:589): avc:  denied  { getattr } for  pid=2244 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
----

Comment 6 P. A. López-Valencia 2016-01-23 18:04:23 UTC

Description of problem:
Happened when installing the rpmfusion free repo rpm through firefox and packagekit.

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git8.1.fc24.x86_64
type:           libreport

Comment 7 Petr Schindler 2016-02-02 07:11:37 UTC

Description of problem:
This happened right after I logged into the desktop with my user.

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc1.git0.1.fc24.x86_64
type:           libreport

Comment 8 Lukas Vrabec 2016-02-08 13:30:21 UTC

commit 1ccf8374b4f6fc85445abb8a048f23d24664d467
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 8 14:29:34 2016 +0100

    Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334

Comment 9 Jan Kurik 2016-02-24 15:48:23 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 10 Fedora Update System 2016-03-11 09:56:37 UTC

selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015

Comment 11 Fedora Update System 2016-03-11 19:26:16 UTC

selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015

Comment 12 Fedora Update System 2016-03-16 13:42:56 UTC

selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969

Comment 13 Fedora Update System 2016-03-18 14:59:06 UTC

selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969

Comment 14 Fedora Update System 2016-03-23 16:55:12 UTC

selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.