Bug 2209410 - SELinux is preventing gdb from 'read' accesses on the chr_file pcmC0D0p.
Summary: SELinux is preventing gdb from 'read' accesses on the chr_file pcmC0D0p.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:19f1e4979b24a34efc80637fc21...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-23 19:36 UTC by Kamil Páral
Modified: 2023-07-17 07:26 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-23 19:42:17 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: description (1.86 KB, text/plain)
2023-05-23 19:36 UTC, Kamil Páral
no flags Details
File: os_info (734 bytes, text/plain)
2023-05-23 19:36 UTC, Kamil Páral
no flags Details

Description Kamil Páral 2023-05-23 19:36:47 UTC
Description of problem:
This popped up when pipewire crashed ( bug 2209409 ) and ABRT showed a crash notification. I guess some processing in ABRT triggered this SELinux error.
SELinux is preventing gdb from 'read' accesses on the chr_file pcmC0D0p.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gdb should be allowed read access on the pcmC0D0p chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sound_device_t:s0
Target Objects                pcmC0D0p [ chr_file ]
Source                        gdb
Source Path                   gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.12-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.12-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.3.3-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed May 17 14:31:24 UTC 2023
                              x86_64
Alert Count                   3
First Seen                    2023-05-23 21:17:32 CEST
Last Seen                     2023-05-23 21:17:32 CEST
Local ID                      6b5c8123-c5c6-4901-9c89-8252bcb23844

Raw Audit Messages
type=AVC msg=audit(1684869452.403:796): avc:  denied  { read } for  pid=127397 comm="gdb" name="pcmC0D0p" dev="devtmpfs" ino=898 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=0


Hash: gdb,abrt_t,sound_device_t,chr_file,read

Version-Release number of selected component:
selinux-policy-targeted-38.12-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
reason:         SELinux is preventing gdb from 'read' accesses on the chr_file pcmC0D0p.
package:        selinux-policy-targeted-38.12-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.3.3-200.fc38.x86_64
comment:        This popped up when pipewire crashed ( bug 2209409 ) and ABRT showed a crash notification. I guess some processing in ABRT triggered this SELinux error.
component:      selinux-policy

Comment 1 Kamil Páral 2023-05-23 19:36:50 UTC
Created attachment 1966480 [details]
File: description

Comment 2 Kamil Páral 2023-05-23 19:36:52 UTC
Created attachment 1966481 [details]
File: os_info

Comment 3 Zdenek Pytela 2023-05-23 19:42:17 UTC
It is required to turn this boolean on to allow abrt execute its gdb handler and be able to troubleshoot further:

  # setsebool -P abrt_handle_event on

and subsequently report another bug for the affected component.

This boolean will be turned on by default in the future Fedora releases.
Refer to abrt_handle_event_selinux(8) for more information.

Comment 4 Kamil Páral 2023-05-24 06:51:16 UTC
Zdeněk, should I file a bug against abrt (or some other component) then, to enable that sebool by default? Because I'm using stock settings, and in stock settings, it should either work or it shouldn't cause selinux errors, in my opinion.

Also, this is the first time I saw this error. I can troubleshoot and report a crash in abrt just fine (I used it to report bug 2209409 ). This might be some new behavior.

Comment 5 Zdenek Pytela 2023-07-17 07:26:07 UTC
(In reply to Kamil Páral from comment #4)
> Zdeněk, should I file a bug against abrt (or some other component) then, to
> enable that sebool by default? Because I'm using stock settings, and in
> stock settings, it should either work or it shouldn't cause selinux errors,
> in my opinion.
The boolean has been set to on in the latest build.

> Also, this is the first time I saw this error. I can troubleshoot and report
> a crash in abrt just fine (I used it to report bug 2209409 ). This might be
> some new behavior.
I think this is not a crash in abrt, just abrt trying to troubleshoot a previous crash.


Note You need to log in before you can comment on or make changes to this bug.