Description of problem: SELinux is preventing pidof from 'sys_ptrace' accesses on the cap_userns labeled abrt_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pidof should be allowed sys_ptrace access on cap_userns labeled abrt_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pidof' --raw | audit2allow -M my-pidof # semodule -X 300 -i my-pidof.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Objects Unknown [ cap_userns ] Source pidof Source Path pidof Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.5-1.fc36.noarch Local Policy RPM selinux-policy-targeted-36.5-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.17.1-300.fc36.x86_64 #1 SMP PREEMPT Mon Mar 28 15:27:56 UTC 2022 x86_64 x86_64 Alert Count 4 First Seen 2022-03-30 21:20:25 BST Last Seen 2022-04-04 10:53:03 BST Local ID b9b84c50-2dc9-4c25-b13a-14be66689fa0 Raw Audit Messages type=AVC msg=audit(1649065983.329:425): avc: denied { sys_ptrace } for pid=2422 comm="pidof" capability=19 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 Hash: pidof,abrt_t,abrt_t,cap_userns,sys_ptrace Version-Release number of selected component: selinux-policy-targeted-36.5-1.fc36.noarch Additional info: component: selinux-policy reporter: libreport-2.17.1 hashmarkername: setroubleshoot kernel: 5.17.1-300.fc36.x86_64 type: libreport Potential duplicate: bug 1836681
Hi, If you want abrt handle event scripts, turn the abrt_handle_event boolean on: # setsebool -P abrt_handle_event on
Similar problem has been detected: Upgraded and rebooted a F36 system hashmarkername: setroubleshoot kernel: 5.17.6-300.fc36.x86_64 package: selinux-policy-targeted-36.8-1.fc36.noarch reason: SELinux is preventing pidof from 'sys_ptrace' accesses on the cap_userns labeled abrt_t. type: libreport
Reproducible on Fedora 36 VM: # touch /var/crash/something # service abrt-vmcore stop Redirecting to /bin/systemctl stop abrt-vmcore.service # service abrt-vmcore start Redirecting to /bin/systemctl start abrt-vmcore.service # service abrt-vmcore status Redirecting to /bin/systemctl status abrt-vmcore.service ● abrt-vmcore.service - Harvest vmcores for ABRT Loaded: loaded (/usr/lib/systemd/system/abrt-vmcore.service; enabled; vendor preset: enabled) Active: active (exited) since Tue 2022-09-06 12:37:34 CEST; 7min ago Process: 24937 ExecStart=/usr/sbin/abrt-harvest-vmcore (code=exited, status=0/SUCCESS) Main PID: 24937 (code=exited, status=0/SUCCESS) CPU: 137ms Sep 06 12:37:33 fedora systemd[1]: Starting abrt-vmcore.service - Harvest vmcores for ABRT... Sep 06 12:37:34 fedora systemd[1]: Finished abrt-vmcore.service - Harvest vmcores for ABRT. # ausearch -m avc -m user_avc -m selinux_err -i -ts today ---- type=PROCTITLE msg=audit(09/06/2022 12:37:34.144:485) : proctitle=pidof abrtd type=SYSCALL msg=audit(09/06/2022 12:37:34.144:485) : arch=x86_64 syscall=read success=yes exit=169 a0=0x4 a1=0x55852b067ad0 a2=0x400 a3=0x0 items=0 ppid=24943 pid=24944 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof exe=/usr/bin/pidof subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(09/06/2022 12:37:34.144:485) : avc: denied { sys_ptrace } for pid=24944 comm=pidof capability=sys_ptrace scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 ---- type=PROCTITLE msg=audit(09/06/2022 12:37:34.144:486) : proctitle=pidof abrtd type=PATH msg=audit(09/06/2022 12:37:34.144:486) : item=0 name=/proc/813/exe inode=29772 dev=00:16 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:devicekit_power_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/06/2022 12:37:34.144:486) : cwd=/ type=SYSCALL msg=audit(09/06/2022 12:37:34.144:486) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd50d1c650 a1=0x55852b05a4b0 a2=0x400 a3=0x0 items=1 ppid=24943 pid=24944 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof exe=/usr/bin/pidof subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(09/06/2022 12:37:34.144:486) : avc: denied { sys_ptrace } for pid=24944 comm=pidof capability=sys_ptrace scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 ---- # rpm -qa selinux\* abrt\* | sort abrt-2.15.1-1.fc36.x86_64 abrt-addon-ccpp-2.15.1-1.fc36.x86_64 abrt-addon-kerneloops-2.15.1-1.fc36.x86_64 abrt-addon-pstoreoops-2.15.1-1.fc36.x86_64 abrt-addon-vmcore-2.15.1-1.fc36.x86_64 abrt-addon-xorg-2.15.1-1.fc36.x86_64 abrt-cli-2.15.1-1.fc36.x86_64 abrt-dbus-2.15.1-1.fc36.x86_64 abrt-libs-2.15.1-1.fc36.x86_64 abrt-plugin-bodhi-2.15.1-1.fc36.x86_64 abrt-retrace-client-2.15.1-1.fc36.x86_64 abrt-tui-2.15.1-1.fc36.noarch selinux-policy-36.14-1.fc36.noarch selinux-policy-devel-36.14-1.fc36.noarch selinux-policy-targeted-36.14-1.fc36.noarch # getsebool -a | grep abrt abrt_anon_write --> off abrt_handle_event --> on abrt_upload_watch_anon_write --> on #
The same reproducer executed in permissive mode leads to the following SELinux denial: ---- type=PROCTITLE msg=audit(09/06/2022 12:51:17.214:516) : proctitle=pidof abrtd type=SYSCALL msg=audit(09/06/2022 12:51:17.214:516) : arch=x86_64 syscall=read success=yes exit=304 a0=0x4 a1=0x55b241026ad0 a2=0x400 a3=0x0 items=0 ppid=25130 pid=25131 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof exe=/usr/bin/pidof subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(09/06/2022 12:51:17.214:516) : avc: denied { sys_ptrace } for pid=25131 comm=pidof capability=sys_ptrace scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ----
FEDORA-2022-839f7bd62c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-839f7bd62c
FEDORA-2022-839f7bd62c has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-839f7bd62c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-839f7bd62c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-839f7bd62c has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.