Bug 1300334 - SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.
SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
x86_64 Other
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:ada9ddb78617a6e6e2e35b6a1db...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-20 08:41 EST by P. A. López-Valencia
Modified: 2016-03-23 12:57 EDT (History)
12 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-170.fc24 selinux-policy-3.13.1-179.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-23 12:57:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description P. A. López-Valencia 2016-01-20 08:41:46 EST
Description of problem:
SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, abrt-hook-ccpp debería permitir acceso getattr sobre  file file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:nsfs_t:s0
Target Objects                file [ file ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-167.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc0.git1.1.fc24.x86_64 #1
                              SMP Tue Jan 12 20:40:44 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-01-20 07:36:44 COT
Last Seen                     2016-01-20 08:39:15 COT
Local ID                      c092c1fb-efc3-4318-a81e-1b452f10c70e

Raw Audit Messages
type=AVC msg=audit(1453297155.259:630): avc:  denied  { getattr } for  pid=3257 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1


Hash: abrt-hook-ccpp,abrt_dump_oops_t,nsfs_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-167.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git1.1.fc24.x86_64
type:           libreport
Comment 1 P. A. López-Valencia 2016-01-20 08:47:07 EST
It also happens in targeted mode, but at least I can report it now.
Comment 2 Jared Smith 2016-01-20 08:51:25 EST
Description of problem:
Rebooted my machine, and saw the alert.

Version-Release number of selected component:
selinux-policy-3.13.1-167.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git1.1.fc24.x86_64
type:           libreport
Comment 3 Miroslav Grepl 2016-01-21 03:21:43 EST
We added NSFS support which causes this issue.
Comment 4 Lukas Vrabec 2016-01-21 11:01:39 EST
Hi, 
Could you do following: 
1. #semanage permissive -a abrt_dump_oops_t
2. reproduce issue
3. ausearch -m AVC -ts recent 
4. attach AVC msgs
5. #semanage permissive -d abrt_dump_oops_t


Thank you.
Comment 5 P. A. López-Valencia 2016-01-21 14:23:24 EST
I saw your message after upgrading to selinux-policy-3.13.1-168.fc24...

The error has repeated itself once and it's as follows:

----
time->Thu Jan 21 13:08:28 2016
type=AVC msg=audit(1453399708.072:589): avc:  denied  { getattr } for  pid=2244 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
----
Comment 6 P. A. López-Valencia 2016-01-23 13:04:23 EST
Description of problem:
Happened when installing the rpmfusion free repo rpm through firefox and packagekit.

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc0.git8.1.fc24.x86_64
type:           libreport
Comment 7 Petr Schindler 2016-02-02 02:11:37 EST
Description of problem:
This happened right after I logged into the desktop with my user.

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc1.git0.1.fc24.x86_64
type:           libreport
Comment 8 Lukas Vrabec 2016-02-08 08:30:21 EST
commit 1ccf8374b4f6fc85445abb8a048f23d24664d467
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Feb 8 14:29:34 2016 +0100

    Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
Comment 9 Jan Kurik 2016-02-24 10:48:23 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 10 Fedora Update System 2016-03-11 04:56:37 EST
selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 11 Fedora Update System 2016-03-11 14:26:16 EST
selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 12 Fedora Update System 2016-03-16 09:42:56 EDT
selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 13 Fedora Update System 2016-03-18 10:59:06 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 14 Fedora Update System 2016-03-23 12:55:12 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.