Description of problem: This popped up when pipewire crashed ( bug 2209409 ) and ABRT showed a crash notification. I guess some processing in ABRT triggered this SELinux error. SELinux is preventing gdb from 'read' accesses on the chr_file pcmC0D0p. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gdb should be allowed read access on the pcmC0D0p chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdb' --raw | audit2allow -M my-gdb # semodule -X 300 -i my-gdb.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:sound_device_t:s0 Target Objects pcmC0D0p [ chr_file ] Source gdb Source Path gdb Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.12-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.12-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.3.3-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed May 17 14:31:24 UTC 2023 x86_64 Alert Count 3 First Seen 2023-05-23 21:17:32 CEST Last Seen 2023-05-23 21:17:32 CEST Local ID 6b5c8123-c5c6-4901-9c89-8252bcb23844 Raw Audit Messages type=AVC msg=audit(1684869452.403:796): avc: denied { read } for pid=127397 comm="gdb" name="pcmC0D0p" dev="devtmpfs" ino=898 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=0 Hash: gdb,abrt_t,sound_device_t,chr_file,read Version-Release number of selected component: selinux-policy-targeted-38.12-1.fc38.noarch Additional info: reporter: libreport-2.17.10 reason: SELinux is preventing gdb from 'read' accesses on the chr_file pcmC0D0p. package: selinux-policy-targeted-38.12-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.3.3-200.fc38.x86_64 comment: This popped up when pipewire crashed ( bug 2209409 ) and ABRT showed a crash notification. I guess some processing in ABRT triggered this SELinux error. component: selinux-policy
Created attachment 1966480 [details] File: description
Created attachment 1966481 [details] File: os_info
It is required to turn this boolean on to allow abrt execute its gdb handler and be able to troubleshoot further: # setsebool -P abrt_handle_event on and subsequently report another bug for the affected component. This boolean will be turned on by default in the future Fedora releases. Refer to abrt_handle_event_selinux(8) for more information.
Zdeněk, should I file a bug against abrt (or some other component) then, to enable that sebool by default? Because I'm using stock settings, and in stock settings, it should either work or it shouldn't cause selinux errors, in my opinion. Also, this is the first time I saw this error. I can troubleshoot and report a crash in abrt just fine (I used it to report bug 2209409 ). This might be some new behavior.
(In reply to Kamil Páral from comment #4) > Zdeněk, should I file a bug against abrt (or some other component) then, to > enable that sebool by default? Because I'm using stock settings, and in > stock settings, it should either work or it shouldn't cause selinux errors, > in my opinion. The boolean has been set to on in the latest build. > Also, this is the first time I saw this error. I can troubleshoot and report > a crash in abrt just fine (I used it to report bug 2209409 ). This might be > some new behavior. I think this is not a crash in abrt, just abrt trying to troubleshoot a previous crash.