Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1419980 - SELinux is preventing abrt-dump-journ from 'execute' accesses on the file /usr/bin/lz4.
Summary: SELinux is preventing abrt-dump-journ from 'execute' accesses on the file /us...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:e9c843bfab72ba9984288171eee...
Depends On:
Blocks: F26AlphaFreezeException 1405995
TreeView+ depends on / blocked
 
Reported: 2017-02-07 14:45 UTC by Michael Catanzaro
Modified: 2017-03-24 17:04 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-24 17:04:39 UTC
Type: ---


Attachments (Terms of Use)

Description Michael Catanzaro 2017-02-07 14:45:51 UTC
Description of problem:
This is a follow-up report to https://bugzilla.redhat.com/show_bug.cgi?id=1341829

After https://bugzilla.redhat.com/show_bug.cgi?id=1341829 has been fixed, system-coredump now works. However,
we need to also ensure that ABRT's coredumpctl integration functions properly. It, too, is broken by SELinux. Test:

# systemctl stop abrt-ccpp.service
# systemctl start abrt-journal-core.service
(Start some app to be killed, say gedit)
# killall gedit

Expected behavior: ABRT fetches the crash report from systemd and presents a crash notification

Actual behavior: This SELinux alert appears
SELinux is preventing abrt-dump-journ from 'execute' accesses on the file /usr/bin/lz4.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-dump-journ should be allowed execute access on the lz4 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-dump-journ' --raw | audit2allow -M my-abrtdumpjourn
# semodule -X 300 -i my-abrtdumpjourn.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/lz4 [ file ]
Source                        abrt-dump-journ
Source Path                   abrt-dump-journ
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           lz4-1.7.5-1.fc25.x86_64
Policy RPM                    selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.9.6-200.fc25.x86_64 #1 SMP Thu
                              Jan 26 10:17:45 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-02-07 08:42:14 CST
Last Seen                     2017-02-07 08:42:14 CST
Local ID                      40fa121b-a2ac-4c47-995a-efb6c1a2f021

Raw Audit Messages
type=AVC msg=audit(1486478534.659:258): avc:  denied  { execute } for  pid=3138 comm="abrt-dump-journ" name="lz4" dev="dm-1" ino=2369212 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Hash: abrt-dump-journ,abrt_dump_oops_t,bin_t,file,execute

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.6-200.fc25.x86_64
type:           libreport

Potential duplicate: bug 1414911

Comment 1 Michael Catanzaro 2017-02-07 14:50:15 UTC
(In reply to Michael Catanzaro from comment #0)
> # systemctl stop abrt-ccpp.service
> # systemctl start abrt-journal-core.service
> (Start some app to be killed, say gedit)
> # killall gedit

Whooops, I meant to type 'killall -SEGV gedit'

Comment 2 František Zatloukal 2017-02-08 15:19:47 UTC
Description of problem:
Warning raised when I killed gnome-calculator with -SEGV

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.7-201.fc25.x86_64
type:           libreport

Comment 3 Michael Catanzaro 2017-02-22 19:56:09 UTC
Hi Lukas, will an update be available for this soon?

Comment 4 Michael Catanzaro 2017-02-28 14:13:40 UTC
(In reply to Michael Catanzaro from comment #3)
> Hi Lukas, will an update be available for this soon?

Hi Lukas, the change deadline for bug #1405995 was today and it is still blocked on this issue. The FESCo change review meeting is on Friday; it would be great to have an update released prior to then.

Note that we identified a solution to this issue via private email on February 8:

# cat abrt_exec_bin.cil
(allow abrt_dump_oops_t bin_t (file (execute)))
(allow abrt_dump_oops_t bin_t (file (execute_no_trans)))
# semodule -i abrt_exec_bin.cil

Comment 5 Fedora Blocker Bugs Application 2017-03-03 21:57:51 UTC
Proposed as a Freeze Exception for 26-alpha by Fedora user pfrields using the blocker tracking app because:

 This is a simple change to enable an accepted F26 Change. See also https://bugzilla.redhat.com/show_bug.cgi?id=1405995 which this bug blocks. Having this Change is important to the Workstation WG and we'd really like not to slip this for yet another release. I've reached out to the selinux-policy maintainers to ask for quick action here.

Comment 6 Lukas Vrabec 2017-03-03 22:01:35 UTC
[root@fraw ~]# sesearch -A -s abrt_dump_oops_t -t bin_t -c file -p execute
Found 2 semantic av rules:
   allow abrt_dump_oops_t base_ro_file_type : file { ioctl read getattr lock execute execute_no_trans open } ; 
   allow abrt_dump_oops_t bin_t : file { ioctl read getattr lock execute execute_no_trans open } ; 

[root@fraw ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-241.fc26.noarch


#============= abrt_dump_oops_t ==============

#!!!! This avc is allowed in the current policy
allow abrt_dump_oops_t bin_t:file execute;


This issue is already fixed in F26:
https://koji.fedoraproject.org/koji/buildinfo?buildID=860624

Comment 7 Geoffrey Marr 2017-03-06 18:34:48 UTC
Discussed during the 2017-03-06 blocker review meeting: [1]

The decision was made to accept this bug as an Alpha Freeze Exception as this prevents a significant accepted Change from working in the Workstation live environment.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-06/f26-blocker-review.2017-03-06-17.02.txt

Comment 8 Adam Williamson 2017-03-24 17:04:39 UTC
Current stable selinux-policy is much ahead of the one claimed to fix this, so closing.


Note You need to log in before you can comment on or make changes to this bug.