Description of problem: SELinux is preventing gdb from read access on the chr_file card0. Version-Release number of selected component (if applicable): 5.18.16-200.fc36.x86_64 How reproducible: Drag an album to playlist in clementine and start playing. clementine stops after few seconds with popping up of the bug Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gdb should be allowed read access on the card0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdb' --raw | audit2allow -M my-gdb # semodule -X 300 -i my-gdb.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:dri_device_t:s0 Target Objects card0 [ chr_file ] Source gdb Source Path gdb Port <Unknown> Host fedora Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.13-3.fc36.noarch Local Policy RPM selinux-policy-targeted-36.13-3.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 5.18.16-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Aug 3 15:44:49 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-08-08 06:07:45 EDT Last Seen 2022-08-08 06:07:45 EDT Local ID d736daf2-4270-4d2b-bbc1-83e24c6a2f57 Raw Audit Messages type=AVC msg=audit(1659953265.634:396): avc: denied { read } for pid=5965 comm="gdb" name="card0" dev="devtmpfs" ino=236 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 Hash: gdb,abrt_t,dri_device_t,chr_file,read
It is required to turn this boolean on to allow abrt execute its gdb handler and be able to troubleshoot further: # setsebool -P abrt_handle_event on and subsequently report another bug for the affected component. Refer to abrt_handle_event_selinux(8) for more information. We are currently discussing the option of having the boolean turned on by default.
*** Bug 2120044 has been marked as a duplicate of this bug. ***
*** Bug 2121374 has been marked as a duplicate of this bug. ***
Here is the SELinux denials with details: ---- type=PROCTITLE msg=audit(09/05/2022 11:45:58.906:638) : proctitle=/usr/libexec/gdb --batch -ex python exec(open("/usr/libexec/abrt-gdb-exploitable").read()) -ex core-file ./coredump -ex abrt-exp type=PATH msg=audit(09/05/2022 11:45:58.906:638) : item=0 name=/dev/dri/card0 inode=296 dev=00:05 mode=character,660 ouid=root ogid=video rdev=e2:00 obj=system_u:object_r:dri_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/05/2022 11:45:58.906:638) : cwd=/var/spool/abrt/ccpp-2022-09-05-11:45:56.630619-2801 type=SYSCALL msg=audit(09/05/2022 11:45:58.906:638) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55915b91ca70 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=3935 pid=3936 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdb exe=/usr/libexec/gdb subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(09/05/2022 11:45:58.906:638) : avc: denied { read } for pid=3936 comm=gdb name=card0 dev="devtmpfs" ino=296 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 ---- # rpm -qa selinux\* selinux-policy-36.14-1.fc36.noarch selinux-policy-targeted-36.14-1.fc36.noarch selinux-policy-devel-36.14-1.fc36.noarch # Reproducible on my Fedora 36 VM after logging in as unconfined user from GDM which runs on Xorg.
# abrt-cli info Id b5197ea Component gnome-shell Count 1 Time 2022-09-05 11:45:56 Command line /usr/bin/gnome-shell Package gnome-shell-42.4-1.fc36 User id 1000 (unconfined-user) Path /var/spool/abrt/ccpp-2022-09-05-11:45:56.630619-2801 #
After enabling the abrt_handle_event boolean permanently, the SELinux denials are not reproducible anymore.
It is required to turn this boolean on to allow abrt execute its gdb handler and be able to troubleshoot further: # setsebool -P abrt_handle_event on and subsequently report another bug for the affected component. Refer to abrt_handle_event_selinux(8) for more information. Closing as dup of bz#1896648. *** This bug has been marked as a duplicate of bug 1896648 ***