Bug 1640067 - SELinux is preventing abrt-hook-ccpp from using the 'sys_resource' capabilities.
Summary: SELinux is preventing abrt-hook-ccpp from using the 'sys_resource' capabilities.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2637231e1e9f05bcb6805e3d368...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-17 09:55 UTC by Berend De Schouwer
Modified: 2018-11-04 12:34 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-11-04 12:34:39 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Berend De Schouwer 2018-10-17 09:55:59 UTC 
Description of problem:
I'm attempting to get debug reports from abrt itself.

This triggers an selinux warning.

abrt-analyze-c is currently crashing with a segfault repeatedly.  I'm attempting to get a report from this to report a bug in abrt itself.

It's doing this when Python segfaults (c segfault, not python backtrace), which I can trigger reliably by running gnome-music (bz # 1635152)

Basically Python segfault:
Oct 17 11:50:21 sieve-deschouwer-co-za abrt-hook-ccpp[32427]: Process 32382 (python3.7) of user 1000 killed by SIGSEGV - dumping core
Oct 17 11:50:22 sieve-deschouwer-co-za abrt-hook-ccpp[32428]: Can't generate core backtrace: dwfl_getthread_frames failed: No DWARF information found
Oct 17 11:50:22 sieve-deschouwer-co-za abrt-hook-ccpp[32427]: Core backtrace generator exited with error 1

triggers abrt segfault:
Oct 17 11:47:01 sieve-deschouwer-co-za kernel: abrt-action-ana[32174]: segfault at 20 ip 000055b6c04db953 sp 00007ffd4ee50560 error 4 in abrt-action-analyze-c[55b6c04db000+1000]
Oct 17 11:47:01 sieve-deschouwer-co-za kernel: Code: e8 a2 f9 ff ff 4d 85 e4 74 38 4c 89 e7 e8 65 fa ff ff 48 89 c5 48 85 c0 0f 84 cb 00 00 00 48 89 ef e8 41 fb ff ff 48 8b 45 10 <48> 8b 50 20 48 85 d2 74 0f 48 8d 35 63 07 00 00 48 89 df e8 05 fb 
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-hook-ccpp[32176]: Process 32174 (abrt-action-analyze-c) of user 0 killed by SIGSEGV - dumping core
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: /bin/sh: line 56: 32174 Segmentation fault      (core dumped) abrt-action-analyze-c
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: 'post-create' on '/var/spool/abrt/ccpp-2018-10-17-11:46:50-32076' exited with 139
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: Deleting problem directory '/var/spool/abrt/ccpp-2018-10-17-11:46:50-32076'
Oct 17 11:47:01 sieve-deschouwer-co-za abrt-server[32143]: Lock file '.lock' was locked by process 32174, but it crashed?
SELinux is preventing abrt-hook-ccpp from using the 'sys_resource' capabilities.

*****  Plugin sys_resource (91.4 confidence) suggests   **********************

If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.

According to /usr/include/linux/capability.h, sys_resource is required to:

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Do
fix the cause of the SYS_RESOURCE on your system.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that abrt-hook-ccpp should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-hook-ccpp' --raw | audit2allow -M my-abrthookccpp
# semodule -X 300 -i my-abrthookccpp.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:system_r:abrt_dump_oops_t:s0
Target Objects                Unknown [ capability ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-37.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.10-300.fc29.x86_64 #1 SMP Wed
                              Sep 26 09:45:26 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-10-17 11:50:21 SAST
Last Seen                     2018-10-17 11:50:21 SAST
Local ID                      f023d241-c33d-463b-903c-f05029c4d888

Raw Audit Messages
type=AVC msg=audit(1539769821.531:6167): avc:  denied  { sys_resource } for  pid=32427 comm="abrt-hook-ccpp" capability=24  scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:abrt_dump_oops_t:s0 tclass=capability permissive=0


Hash: abrt-hook-ccpp,abrt_dump_oops_t,abrt_dump_oops_t,capability,sys_resource

Version-Release number of selected component:
selinux-policy-3.14.2-37.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.18.10-300.fc29.x86_64
type:           libreport
Comment 1 Berend De Schouwer 2018-10-17 09:59:15 UTC 
also needs setrlimit
Comment 2 Lukas Vrabec 2018-11-04 12:34:39 UTC 
This is related to debugging some process. Please create local policy module with fixes.
Note You need to log in before you can comment on or make changes to this bug.