Description of problem: This is a follow-up report to https://bugzilla.redhat.com/show_bug.cgi?id=1341829 After https://bugzilla.redhat.com/show_bug.cgi?id=1341829 has been fixed, system-coredump now works. However, we need to also ensure that ABRT's coredumpctl integration functions properly. It, too, is broken by SELinux. Test: # systemctl stop abrt-ccpp.service # systemctl start abrt-journal-core.service (Start some app to be killed, say gedit) # killall gedit Expected behavior: ABRT fetches the crash report from systemd and presents a crash notification Actual behavior: This SELinux alert appears SELinux is preventing abrt-dump-journ from 'execute' accesses on the file /usr/bin/lz4. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-dump-journ should be allowed execute access on the lz4 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'abrt-dump-journ' --raw | audit2allow -M my-abrtdumpjourn # semodule -X 300 -i my-abrtdumpjourn.pp Additional Information: Source Context system_u:system_r:abrt_dump_oops_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/lz4 [ file ] Source abrt-dump-journ Source Path abrt-dump-journ Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages lz4-1.7.5-1.fc25.x86_64 Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.6-200.fc25.x86_64 #1 SMP Thu Jan 26 10:17:45 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-02-07 08:42:14 CST Last Seen 2017-02-07 08:42:14 CST Local ID 40fa121b-a2ac-4c47-995a-efb6c1a2f021 Raw Audit Messages type=AVC msg=audit(1486478534.659:258): avc: denied { execute } for pid=3138 comm="abrt-dump-journ" name="lz4" dev="dm-1" ino=2369212 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: abrt-dump-journ,abrt_dump_oops_t,bin_t,file,execute Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.6-200.fc25.x86_64 type: libreport Potential duplicate: bug 1414911
(In reply to Michael Catanzaro from comment #0) > # systemctl stop abrt-ccpp.service > # systemctl start abrt-journal-core.service > (Start some app to be killed, say gedit) > # killall gedit Whooops, I meant to type 'killall -SEGV gedit'
Description of problem: Warning raised when I killed gnome-calculator with -SEGV Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.7-201.fc25.x86_64 type: libreport
Hi Lukas, will an update be available for this soon?
(In reply to Michael Catanzaro from comment #3) > Hi Lukas, will an update be available for this soon? Hi Lukas, the change deadline for bug #1405995 was today and it is still blocked on this issue. The FESCo change review meeting is on Friday; it would be great to have an update released prior to then. Note that we identified a solution to this issue via private email on February 8: # cat abrt_exec_bin.cil (allow abrt_dump_oops_t bin_t (file (execute))) (allow abrt_dump_oops_t bin_t (file (execute_no_trans))) # semodule -i abrt_exec_bin.cil
Proposed as a Freeze Exception for 26-alpha by Fedora user pfrields using the blocker tracking app because: This is a simple change to enable an accepted F26 Change. See also https://bugzilla.redhat.com/show_bug.cgi?id=1405995 which this bug blocks. Having this Change is important to the Workstation WG and we'd really like not to slip this for yet another release. I've reached out to the selinux-policy maintainers to ask for quick action here.
[root@fraw ~]# sesearch -A -s abrt_dump_oops_t -t bin_t -c file -p execute Found 2 semantic av rules: allow abrt_dump_oops_t base_ro_file_type : file { ioctl read getattr lock execute execute_no_trans open } ; allow abrt_dump_oops_t bin_t : file { ioctl read getattr lock execute execute_no_trans open } ; [root@fraw ~]# rpm -q selinux-policy selinux-policy-3.13.1-241.fc26.noarch #============= abrt_dump_oops_t ============== #!!!! This avc is allowed in the current policy allow abrt_dump_oops_t bin_t:file execute; This issue is already fixed in F26: https://koji.fedoraproject.org/koji/buildinfo?buildID=860624
Discussed during the 2017-03-06 blocker review meeting: [1] The decision was made to accept this bug as an Alpha Freeze Exception as this prevents a significant accepted Change from working in the Workstation live environment. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-06/f26-blocker-review.2017-03-06-17.02.txt
Current stable selinux-policy is much ahead of the one claimed to fix this, so closing.