RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1414088 - SELinux is preventing /usr/bin/gdb from write access on the directory /usr/share/glib-2.0/gdb.
Summary: SELinux is preventing /usr/bin/gdb from write access on the directory /usr/sh...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glib2
Version: 6.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Colin Walters
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-17 17:30 UTC by Lukas Slebodnik
Modified: 2017-12-06 11:53 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-06 11:53:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Lukas Slebodnik 2017-01-17 17:30:27 UTC 
SELinux is preventing /usr/bin/gdb from write access on the directory /usr/share/glib-2.0/gdb.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow gdb to have write access on the gdb directory
Then you need to change the label on /usr/share/glib-2.0/gdb
Do
# semanage fcontext -a -t FILE_TYPE '/usr/share/glib-2.0/gdb'
where FILE_TYPE is one of the following: mnt_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, abrt_tmp_t, var_log_t, var_run_t, abrt_var_run_t, abrt_var_log_t, rpm_var_run_t, tmp_t, var_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t.
Then execute:
restorecon -v '/usr/share/glib-2.0/gdb'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that gdb should be allowed write access on the gdb directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/share/glib-2.0/gdb [ dir ]
Source                        gdb  
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          tyan-gt24-11.rhts.eng.bos.redhat.com
Source RPM Packages           gdb-7.2-92.el6.x86_64
Target RPM Packages           glib2-devel-2.28.8-8.el6.x86_64
Policy RPM                    selinux-policy-3.7.19-307.el6.noarch
Selinux Enabled               True 
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tyan-gt24-11.rhts.eng.bos.redhat.com
Platform                      Linux tyan-gt24-11.rhts.eng.bos.redhat.com
                              2.6.32-682.el6.x86_64 #1 SMP Tue Jan 10 00:46:37
                              EST 2017 x86_64 x86_64
Alert Count                   2
First Seen                    Tue Jan 17 12:23:21 2017
Last Seen                     Tue Jan 17 12:23:41 2017
Local ID                      da9a585b-8d21-40d8-aeb9-52650122ed6e

Raw Audit Messages
type=AVC msg=audit(1484673821.920:856): avc:  denied  { write } for  pid=2326 comm="gdb" name="gdb" dev=dm-0 ino=5987 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir


type=SYSCALL msg=audit(1484673821.920:856): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffd4afb73b0 a1=2c1 a2=81a4 a3=30c9ba5560 items=0 ppid=2325 pid=2326 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=127 comm=gdb exe=/usr/bin/gdb subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: gdb,abrt_t,usr_t,dir,write   

audit2allow

#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# mnt_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, abrt_tmp_t, var_log_t, var_run_t, abrt_var_run_t, abrt_var_log_t, rpm_var_run_t, tmp_t, var_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t

allow abrt_t usr_t:dir write;

audit2allow -R

#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# mnt_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, abrt_tmp_t, var_log_t, var_run_t, abrt_var_run_t, abrt_var_log_t, rpm_var_run_t, tmp_t, var_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t

allow abrt_t usr_t:dir write;
Comment 1 Lukas Slebodnik 2017-01-17 17:35:53 UTC 
My saw such AVCs in few of my beaker test runs. But I was able to reproduce it even later. My reproducer was quite simple.

I simulate a crash sending SEGV to two sssd processes (with ew seconds dealy). The 1st time it worked; abrt catured the chrash. But I was AVCs for the second SEGV signal.
Comment 4 Lukas Slebodnik 2017-01-17 17:40:07 UTC 
Moving to abrt team; maybe they will know the reason.
Comment 9 Matej Habrnal 2017-01-20 15:40:02 UTC 
There is a similar problem in bugzilla [1].

It looks like python wants to compile python scripts in /usr/share/glib-2.0/gdb because the files are missing in glib2-devel package and it's not able to do that because of selinux.

$ rpm -ql glib2-devel | grep .py
/usr/share/gdb/auto-load/lib64/libglib-2.0.so.0.2800.8-gdb.py
/usr/share/gdb/auto-load/lib64/libglib-2.0.so.0.2800.8-gdb.pyc
/usr/share/gdb/auto-load/lib64/libglib-2.0.so.0.2800.8-gdb.pyo
/usr/share/gdb/auto-load/lib64/libgobject-2.0.so.0.2800.8-gdb.py
/usr/share/gdb/auto-load/lib64/libgobject-2.0.so.0.2800.8-gdb.pyc
/usr/share/gdb/auto-load/lib64/libgobject-2.0.so.0.2800.8-gdb.pyo
/usr/share/glib-2.0/gdb/glib.py
/usr/share/glib-2.0/gdb/gobject.py

Adding *.pyc and *.pyo files into the package should resolve the issue.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1222288
Comment 12 Jan Kurik 2017-12-06 11:53:32 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/
Note You need to log in before you can comment on or make changes to this bug.