Bug 1570310 - SELinux is preventing abrt-action-sav from 'write' accesses on the file /var/lib/rpm/.dbenv.lock.
Summary: SELinux is preventing abrt-action-sav from 'write' accesses on the file /var/...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:53b69c22b90dfec56a10860d72a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-21 20:40 UTC by ricky.tigg
Modified: 2019-05-28 19:22 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.14.1-25.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-28 19:22:55 UTC
Type: ---


Attachments (Terms of Use)

Description ricky.tigg 2018-04-21 20:40:16 UTC
Description of problem:
Stand-alone Sophos antivirus is installed.
SELinux is preventing abrt-action-sav from 'write' accesses on the file /var/lib/rpm/.dbenv.lock.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/lib/rpm/.dbenv.lock default label should be rpm_var_lib_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/lib/rpm/.dbenv.lock

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that abrt-action-sav should be allowed write access on the .dbenv.lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-action-sav' --raw | audit2allow -M my-abrtactionsav
# semodule -X 300 -i my-abrtactionsav.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/rpm/.dbenv.lock [ file ]
Source                        abrt-action-sav
Source Path                   abrt-action-sav
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.2-300.fc28.x86_64 #1 SMP Thu
                              Apr 12 14:58:07 UTC 2018 x86_64 x86_64
Alert Count                   144
First Seen                    2018-04-21 22:36:30 CEST
Last Seen                     2018-04-21 22:36:34 CEST
Local ID                      8f5ad15e-0d67-4380-9363-20152a41f300

Raw Audit Messages
type=AVC msg=audit(1524342994.48:1304): avc:  denied  { write } for  pid=16795 comm="abrt-action-lis" name=".dbenv.lock" dev="dm-0" ino=917697 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: abrt-action-sav,abrt_t,var_lib_t,file,write


Additional info:
component:      selinux-policy
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.2-300.fc28.x86_64
type:           libreport

Potential duplicate: bug 1209244

Comment 1 ricky.tigg 2018-04-25 06:59:39 UTC
Description of problem:
sav (Sophos antivirus)


Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.2-300.fc28.x86_64
type:           libreport

Comment 2 ricky.tigg 2018-04-25 10:08:00 UTC
Description of problem:
Occured along with the use of Firefox.


Additional info:
reporter:       libreport-2.9.4
hashmarkername: setroubleshoot
kernel:         4.16.2-300.fc28.x86_64
type:           libreport

Comment 3 Ghadiyali Mohammed Kader 2018-05-04 17:10:25 UTC
Description of problem:
I get this error message after I boot my laptop.
I don't know why it happens.


Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.5-300.fc28.x86_64
type:           libreport

Comment 4 Fedora Update System 2018-05-21 09:56:32 UTC
selinux-policy-3.14.1-25.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d19ffdb4ba

Comment 5 Fedora Update System 2018-05-21 17:15:45 UTC
selinux-policy-3.14.1-25.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d19ffdb4ba

Comment 6 Fedora Update System 2018-05-23 15:40:32 UTC
selinux-policy-3.14.1-25.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Mirek Svoboda 2018-06-14 06:53:59 UTC
Description of problem:
Running kernel tests suite.


Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.0-200.fc28.x86_64
type:           libreport

Comment 8 Maxim Prohorenko 2018-11-01 07:42:28 UTC
abrt-action-sav

/var/lib/rpm/.dbenv.lock



LANG=C dnf info selinux-policy
Last metadata expiration check: 0:23:33 ago on Thu Nov  1 10:17:16 2018.
Installed Packages
Name         : selinux-policy
Version      : 3.14.2
Release      : 40.fc29
Arch         : noarch
Size         : 24 k
Source       : selinux-policy-3.14.2-40.fc29.src.rpm
Repo         : @System
Summary      : SELinux policy configuration
URL          : %{git0-base}
License      : GPLv2+
Description  : SELinux Base package for SELinux Reference Policy - modular.
             : Based off of reference policy: Checked out revision  2.20091117

Comment 9 Werner Gold 2018-11-19 08:18:08 UTC
I see 3.14.1 being most recent, and I still have the bug

LANG=C dnf --enablerepo=updates-testing  info selinux-policy

Last metadata expiration check: 0:00:00 ago on Mon Nov 19 09:12:10 2018.
Installed Packages
Name         : selinux-policy
Version      : 3.14.1
Release      : 48.fc28
Arch         : noarch
Size         : 24 k
Source       : selinux-policy-3.14.1-48.fc28.src.rpm
Repo         : @System
From repo    : updates
Summary      : SELinux policy configuration
URL          : %{git0-base}
License      : GPLv2+
Description  : SELinux Base package for SELinux Reference Policy - modular.
             : Based off of reference policy: Checked out revision  2.20091117

Comment 10 Zdenek Dohnal 2019-03-12 18:16:31 UTC
I see the bug on F29 too - during startup for example.

SELinux is preventing abrt-action-sav from write access on the file
/var/lib/rpm/.dbenv.lock.

*****  Plugin restorecon (99.5 confidence)
suggests   ************************

If you want to fix the label. 
/var/lib/rpm/.dbenv.lock default label should be rpm_var_lib_t.
Then you can run restorecon. The access attempt may have been stopped
due to insufficient permissions to access a parent directory in which
case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/lib/rpm/.dbenv.lock

*****  Plugin catchall (1.49 confidence)
suggests   **************************

If you believe that abrt-action-sav should be allowed write access on
the .dbenv.lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-action-sav' --raw | audit2allow -M my-abrtactionsav
# semodule -X 300 -i my-abrtactionsav.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/rpm/.dbenv.lock [ file ]
Source                        abrt-action-sav
Source Path                   abrt-action-sav
Port                          <Unknown>
Host                          unused-4-162-brq-redhat-com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     unused-4-162-brq-redhat-com
Platform                      Linux unused-4-162-brq-redhat-com
                              4.20.14-200.fc29.x86_64 #1 SMP Tue Mar 5
19:55:32
                              UTC 2019 x86_64 x86_64
Alert Count                   326
First Seen                    2019-03-12 08:49:58 CET
Last Seen                     2019-03-12 19:08:03 CET
Local ID                      eec7ee50-97d3-4af2-9479-79c6f459ce2e

Raw Audit Messages
type=AVC msg=audit(1552414083.604:2246): avc:  denied  { write }
for  pid=14895 comm="abrt-action-lis" name=".dbenv.lock" dev="dm-1"
ino=2761231 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0


Hash: abrt-action-sav,abrt_t,var_lib_t,file,write

It seems it will need more investigating, I'm reopening the issue.

Comment 11 Garrett Mitchener 2019-04-21 20:27:17 UTC
Shotwell just crashed. I'm getting this message by the truckload trying to report the crash. I tried running

restorecon -R -v /var

and the messages stopped coming. I'm not sure if that's because whatever problem had run its course, or because something was labeled wrong and restorecon finally got it.

Here's what seems to be the relevant part of what restorecon did:

Relabeled /var/lib/rpm from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/__db.001 from system_u:object_r:var_lib_t:s0 to system_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Sigmd5 from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Name from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Suggestname from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Triggername from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Supplementname from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/__db.002 from system_u:object_r:var_lib_t:s0 to system_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Obsoletename from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Requirename from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Sha1header from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Basenames from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Dirnames from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Installtid from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Group from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/__db.003 from system_u:object_r:var_lib_t:s0 to system_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Filetriggername from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Packages from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Conflictname from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Transfiletriggername from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Providename from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/.dbenv.lock from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Recommendname from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/.rpm.lock from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0
Relabeled /var/lib/rpm/Enhancename from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:rpm_var_lib_t:s0

Comment 12 Ben Cotton 2019-05-02 19:35:04 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 13 Ben Cotton 2019-05-28 19:22:55 UTC
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.