Bug 1734403 - avc: denied { read } for comm="abrt-action-ins"
Summary: avc: denied { read } for comm="abrt-action-ins"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1739355 1740060 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-30 12:50 UTC by Steeve Goveas
Modified: 2019-11-05 22:12 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:12:08 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3547 None None None 2019-11-05 22:12:18 UTC

Description Steeve Goveas 2019-07-30 12:50:52 UTC
http://ci-vm-10-0-148-68.hosted.upshift.rdu2.redhat.com/sssd-nightly-tier2/master/1/ldap_krb5/restraint.01/

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-12.el8.noarch
----
time->Tue Jul 30 06:20:25 2019
type=PROCTITLE msg=audit(1564482025.406:1780): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D75002F7573722F62696E2F616272742D616374696F6E2D696E7374616C6C2D6465627567696E666F002D79002D76
type=SYSCALL msg=audit(1564482025.406:1780): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55cddcde3120 a2=0 a3=0 items=0 ppid=26222 pid=26246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-action-ins" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1564482025.406:1780): avc:  denied  { read } for  pid=26246 comm="abrt-action-ins" name="satellite-5-client.module" dev="vda1" ino=8409219 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0
----
time->Tue Jul 30 06:20:25 2019
type=PROCTITLE msg=audit(1564482025.406:1781): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D75002F7573722F62696E2F616272742D616374696F6E2D696E7374616C6C2D6465627567696E666F002D79002D76
type=SYSCALL msg=audit(1564482025.406:1781): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55cddcde9750 a2=0 a3=0 items=0 ppid=26222 pid=26246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-action-ins" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1564482025.406:1781): avc:  denied  { read } for  pid=26246 comm="abrt-action-ins" name="virt.module" dev="vda1" ino=8409220 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0
----
time->Tue Jul 30 06:20:32 2019
type=PROCTITLE msg=audit(1564482032.607:1783): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E004144002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1564482032.607:1783): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5619e9480e00 a2=0 a3=0 items=0 ppid=26276 pid=26284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1564482032.607:1783): avc:  denied  { search } for  pid=26284 comm="sssd_be" name="krb5" dev="vda1" ino=9186485 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----
time->Tue Jul 30 06:21:03 2019
type=PROCTITLE msg=audit(1564482063.872:1822): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E004144002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1564482063.872:1822): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55857b5d4570 a2=0 a3=0 items=0 ppid=26612 pid=26614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1564482063.872:1822): avc:  denied  { search } for  pid=26614 comm="sssd_be" name="krb5" dev="vda1" ino=9186485 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

Comment 1 Lukas Vrabec 2019-07-30 13:03:24 UTC

*** This bug has been marked as a duplicate of bug 1734399 ***

Comment 2 Milos Malik 2019-08-08 10:21:02 UTC
Please ignore the last 2 SELinux denials in comment#0. This bug is about SELinux interfering with abrt-action-ins...

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-13.el8.noarch
----
time->Tue Aug  6 20:30:13 2019
type=PROCTITLE msg=audit(1565137813.164:811): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D75002F7573722F62696E2F616272742D616374696F6E2D696E7374616C6C2D6465627567696E666F002D79
type=PATH msg=audit(1565137813.164:811): item=0 name="/etc/dnf/modules.d/satellite-5-client.module" inode=135 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1565137813.164:811): cwd="/var/spool/abrt/ccpp-2019-08-06-20:30:10.357071-18035"
type=SYSCALL msg=audit(1565137813.164:811): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaaae6eac790 a2=0 a3=0 items=1 ppid=19181 pid=19202 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-action-ins" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1565137813.164:811): avc:  denied  { read } for  pid=19202 comm="abrt-action-ins" name="satellite-5-client.module" dev="dm-0" ino=135 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0
----

Comment 3 Lukas Vrabec 2019-08-09 10:28:34 UTC
*** Bug 1739355 has been marked as a duplicate of this bug. ***

Comment 4 Milos Malik 2019-08-09 12:16:50 UTC
Increasing priority/severity, because several QE people found this AVC in their test runs.

Comment 5 Lukas Vrabec 2019-08-09 13:43:59 UTC
commit 99af5f04a4694d1b16929d45cbd6900ff5f42464 (HEAD -> rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Aug 9 15:43:00 2019 +0200

    Dontaudit abrt_t domain to read root_t files
    Resolves: rhbz#1734403

Comment 6 Lukas Vrabec 2019-08-12 08:40:55 UTC
*** Bug 1740060 has been marked as a duplicate of this bug. ***

Comment 22 errata-xmlrpc 2019-11-05 22:12:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547


Note You need to log in before you can comment on or make changes to this bug.