SSO (single sign-on) is being reconfigured. Maintenance started Jul 16 2:20PM UTC and will last 1 hour. Password-enabled login should still work.
Bug 1583080 - SELinux is preventing abrt-dbus from map access on the file /usr/sbin/abrt-dbus
Summary: SELinux is preventing abrt-dbus from map access on the file /usr/sbin/abrt-dbus
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1584636 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-28 08:10 UTC by Lukas Slebodnik
Modified: 2018-10-30 10:04 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-205.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:04:11 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:04:48 UTC

Description Lukas Slebodnik 2018-05-28 08:10:31 UTC
SELinux is preventing abrt-dbus from map access on the file /usr/sbin/abrt-dbus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-dbus should be allowed map access on the abrt-dbus file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-dbus' --raw | audit2allow -M my-abrtdbus
# semodule -i my-abrtdbus.pp


Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:abrt_exec_t:s0
Target Objects                /usr/sbin/abrt-dbus [ file ]
Source                        abrt-dbus
Source Path                   abrt-dbus
Port                          <Unknown>
Host                          bkr-hv01-guest24.dsal.lab.eng.bos.redhat.com
Source RPM Packages           
Target RPM Packages           abrt-dbus-2.1.11-50.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-197.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     bkr-hv01-guest24.dsal.lab.eng.bos.redhat.com
Platform                      Linux bkr-hv01-guest24.dsal.lab.eng.bos.redhat.com
                              3.10.0-893.el7.x86_64 #1 SMP Thu May 24 21:37:14
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-05-26 09:15:02 EDT
Last Seen                     2018-05-26 09:15:02 EDT
Local ID                      10ce992a-1491-4ffd-8bbd-58da5e11e9ae

Raw Audit Messages
type=AVC msg=audit(1527340502.66:153): avc:  denied  { map } for  pid=16493 comm="abrt-dbus" path="/usr/sbin/abrt-dbus" dev="dm-0" ino=34237735 scontext=system_u:system_r:system_dbusd_t:s
0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=1


Hash: abrt-dbus,system_dbusd_t,abrt_exec_t,file,map

Comment 2 Lukas Slebodnik 2018-06-05 10:55:25 UTC
I can see AVC even in enforcing mode
Raw Audit Messages
type=AVC msg=audit(1528194747.410:697): avc:  denied  { map } for  pid=32223 comm="abrt-dbus" path="/usr/sbin/abrt-dbus" dev="dm-0" ino=34957830 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1528194747.410:697): arch=x86_64 syscall=execve success=no exit=EACCES a0=55f231033000 a1=55f231032910 a2=55f231031060 a3=2 items=2 ppid=32222 pid=32223 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1528194747.410:697): cwd=/

type=PATH msg=audit(1528194747.410:697): item=0 name=/usr/sbin/abrt-dbus inode=34957830 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Comment 3 Milos Malik 2018-06-05 19:50:31 UTC
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(06/05/2018 15:48:29.197:244) : proctitle=(null) 
type=PATH msg=audit(06/05/2018 15:48:29.197:244) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=418713 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/05/2018 15:48:29.197:244) : item=0 name=/usr/sbin/abrt-dbus inode=535060 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/05/2018 15:48:29.197:244) :  cwd=/ 
type=SYSCALL msg=audit(06/05/2018 15:48:29.197:244) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55e28be47960 a1=0x55e28be476e0 a2=0x55e28be46060 a3=0x2 items=2 ppid=15722 pid=15723 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2018 15:48:29.197:244) : avc:  denied  { map } for  pid=15723 comm=abrt-dbus path=/usr/sbin/abrt-dbus dev="dm-0" ino=535060 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0 
----

Comment 5 Lukas Slebodnik 2018-06-16 08:16:26 UTC
I can still reproduce with latest selinux-policy

[root@host ~]# rpm -q selinux-policy
selinux-policy-3.13.1-204.el7.noarch

[root@host ~]# getenforce 
Enforcing

[root@host ~]# ausearch -m avc
<no matches>

[root@host ~]# abrt-cli ls
Can't connect to system DBus: Error calling StartServiceByName for org.freedesktop.problems: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildSignaled: Process org.freedesktop.problems received signal 9

[root@host ~]# ausearch -m avc -i
----
type=PROCTITLE msg=audit(06/16/2018 04:15:04.204:464) : proctitle=(null) 
type=PATH msg=audit(06/16/2018 04:15:04.204:464) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33572130 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/16/2018 04:15:04.204:464) : item=0 name=/usr/sbin/abrt-dbus inode=33570168 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:abrt_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/16/2018 04:15:04.204:464) :  cwd=/ 
type=SYSCALL msg=audit(06/16/2018 04:15:04.204:464) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x564c89355f10 a1=0x564c89355690 a2=0x564c89354060 a3=0x2 items=2 ppid=23028 pid=23029 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=abrt-dbus exe=/usr/sbin/abrt-dbus subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/16/2018 04:15:04.204:464) : avc:  denied  { map } for  pid=23029 comm=abrt-dbus path=/usr/sbin/abrt-dbus dev="dm-0" ino=33570168 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_exec_t:s0 tclass=file permissive=0

Comment 7 Martin Kutlak 2018-07-03 12:04:34 UTC
*** Bug 1584636 has been marked as a duplicate of this bug. ***

Comment 10 errata-xmlrpc 2018-10-30 10:04:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.