Bug 1305083 - SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.
SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
high Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:ada9ddb78617a6e6e2e35b6a1db...
:
: 1307218 1307269 1308374 1310349 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-05 09:53 EST by Mikhail
Modified: 2016-02-28 01:42 EST (History)
57 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.5.fc23 selinux-policy-3.13.1-158.6.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-16 22:50:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mikhail 2016-02-05 09:53:55 EST
Description of problem:
SELinux is preventing abrt-hook-ccpp from 'getattr' accesses on the file file.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-hook-ccpp should be allowed getattr access on the file file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:nsfs_t:s0
Target Objects                file [ file ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.4.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.3.5-300.fc23.x86_64+debug #1 SMP
                              Mon Feb 1 03:02:02 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-02-04 22:07:40 YEKT
Last Seen                     2016-02-05 00:40:11 YEKT
Local ID                      58804410-2c0c-470d-a9fd-32548c9fcfe3

Raw Audit Messages
type=AVC msg=audit(1454614811.944:758): avc:  denied  { getattr } for  pid=31949 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0


Hash: abrt-hook-ccpp,abrt_dump_oops_t,nsfs_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64+debug
type:           libreport

Potential duplicate: bug 1300334
Comment 1 Lukas Vrabec 2016-02-08 08:31:14 EST
commit 2c2c1d1391ef92555fc8fead194b2bbb5557c788
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Feb 8 14:29:34 2016 +0100

    Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
Comment 2 Heiko Adams 2016-02-09 08:11:29 EST
Description of problem:
Tried to open pan's ssl-cert-manager

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 3 Major Hayden 2016-02-09 11:10:48 EST
Description of problem:
I had a segfault in an application and this SELinux warning appeared right after that.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 4 Don Swaner 2016-02-09 19:38:13 EST
Description of problem:
nano abended, apparently as a result of not properly handling a file lock conflict.  Then apparently the abort reporting tool caused a SELINUX error.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 5 Syam 2016-02-09 20:41:43 EST
Description of problem:
Happened at boot.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 6 Stanislav Kontar 2016-02-10 03:04:05 EST
Description of problem:
No idea, probably some bad update again.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 7 Karel Volný 2016-02-10 05:46:13 EST
Description of problem:
I don't know what exactly caused this, however I'd think that reading attributes by abrt should be harmless and so there is no reason to deny it ... (?)


Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 8 Lukas Vrabec 2016-02-10 06:52:06 EST
It's in the MODIFIED state, so we have fix for it and it will be in the next selinux-policy release...
Comment 9 vinivxl 2016-02-10 17:19:39 EST
Description of problem:
It happened when I was using Liferea and browsing my RSS feeds with the built-in browser.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 10 Nikolai Vincent Vaags 2016-02-11 03:53:19 EST
Description of problem:
unlocked lockscreen after leaving computer for a few minutes. Seems something display-related had crashed in the meantime, as all windows were suddenly placed in virtual desktop 1.

This has happened several times, regardless of what applications are running. Fedora 23, Gnome.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 11 Karel Volný 2016-02-11 07:53:23 EST
(In reply to Lukas Vrabec from comment #8)
> It's in the MODIFIED state, so we have fix for it and it will be in the next
> selinux-policy release...

yep, but that's what I, and other people commenting this, have found only after submitting the abrt report and *then* ending up here

I believe there exists somewhere a RFE for abrt to first search for duplicates and only after that ask the user for action ...
Comment 12 Fedora Update System 2016-02-11 09:21:28 EST
selinux-policy-3.13.1-158.6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-36a160982c
Comment 13 Christopher Beland 2016-02-12 13:45:07 EST
Description of problem:
Firefox crashed

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 14 qub.box 2016-02-13 03:47:55 EST
*** Bug 1307218 has been marked as a duplicate of this bug. ***
Comment 15 Raphael Groner 2016-02-13 10:23:30 EST
Description of problem:
really, no idea what this report means

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 16 Kristjan Stefansson 2016-02-13 15:25:11 EST
*** Bug 1307269 has been marked as a duplicate of this bug. ***
Comment 17 sheepdestroyer 2016-02-14 05:14:49 EST
Description of problem:
I tried to mount an iso

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 18 Fedora Update System 2016-02-14 11:23:26 EST
selinux-policy-3.13.1-158.6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-36a160982c
Comment 19 zzz 2016-02-14 16:48:47 EST
Description of problem:
Creating of local politics not working:

grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mojapolityka
Nothing to do

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 20 nittfox1977 2016-02-14 17:06:08 EST
*** Bug 1308374 has been marked as a duplicate of this bug. ***
Comment 21 Dario Castellarin 2016-02-15 04:42:02 EST
Description of problem:
I get this message when I experience some program crash, abrt seems unable to create a proper crash report because of this.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 22 Jan Kalina 2016-02-15 08:52:08 EST
Description of problem:
After reboot ABRT show problem "hamster-time-tracker quit unexpectedly" and SELinux Alert Browser show this problem - ABRT probably hasnt permission to check logs or shoudl not check it by this way.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 23 Michelangelo Marchesi 2016-02-16 05:20:43 EST
Description of problem:
Just Firefox running

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 24 psychoslave 2016-02-16 11:39:36 EST
Description of problem:
Nothing to add, since I don't have any idea of the problem.


Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 25 Luya Tshimbalanga 2016-02-16 16:10:09 EST
Description of problem:
Starting gnome-boxes

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 26 zzz 2016-02-16 18:14:06 EST
Description of problem:
During dnf update process

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 27 Fedora Update System 2016-02-16 22:49:56 EST
selinux-policy-3.13.1-158.6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Benito Palacios 2016-02-17 06:26:27 EST
Description of problem:
Automatically almost everytime after login.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64+debug
type:           libreport
Comment 29 pandeero 2016-02-17 11:26:38 EST
Description of problem:
i clicked the yellow icon for notes

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 30 James Cape 2016-02-19 07:48:21 EST
Description of problem:
This looks like it fired at/around a lid-close inspired suspend.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 31 L. J. Casasola 2016-02-20 15:15:52 EST
*** Bug 1310349 has been marked as a duplicate of this bug. ***
Comment 32 Jiri Canderle 2016-02-22 09:01:06 EST
Description of problem:
evolution crashed, and this AVC appeared

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.