Bug 438301 - SELinux is preventing gdb (xdm_t) "write" to ./rpm (rpm_var_lib_t).
SELinux is preventing gdb (xdm_t) "write" to ./rpm (rpm_var_lib_t).
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Seth Vidal
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-20 06:06 EDT by Matěj Cepl
Modified: 2008-04-07 22:32 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-07 22:32:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-03-20 06:06:17 EDT
Description of problem:

Summary:

SELinux is preventing gdb (xdm_t) "write" to ./rpm (rpm_var_lib_t).

Detailed Description:

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./rpm,

restorecon -v './rpm'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:rpm_var_lib_t
Target Objects                ./rpm [ dir ]
Source                        gdb
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           gdb-6.7.50.20080227-3.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-17.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz
                              2.6.25-0.121.rc5.git4.fc9 #1 SMP Fri Mar 14
                              22:50:25 EDT 2008 x86_64 x86_64
Alert Count                   50
First Seen                    Mon 17 Mar 2008 14:58:07 CET
Last Seen                     Wed 19 Mar 2008 18:43:24 CET
Local ID                      2291244d-98fb-483e-80c8-77f089276ea2
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1205948604.112:1991): avc:  denied 
{ write } for  pid=13737 comm="gdb" name="rpm" dev=dm-8 ino=867411
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1205948604.112:1991):
arch=c000003e syscall=21 success=no exit=-13 a0=28199e0 a1=2 a2=0 a3=320276c9f0
items=0 ppid=13736 pid=13737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
gdb-6.7.50.20080227-3.fc9.x86_64
rpm-4.4.2.3-0.3.rc1.x86_64
yum-3.2.12-4.fc9.noarch
yum-utils-1.1.11-5.fc9.noarch
selinux-policy-targeted-3.3.1-19.fc9.noarch

Additional info:
I have not much clue how this happened -- just shown up in sealert when I came
to it in the morning. The only two possible candidates which would make at least
some sense -- not much though -- are yum upgrade and debuginfo-install, which
both I run through ssh last night.
Comment 1 Matěj Cepl 2008-03-20 06:09:57 EDT
Probably related (or should I file a separate bug?):


Summary:

SELinux is preventing gdb (xdm_t) "getattr" to
/usr/src/debug/glibc-20080305T0857/sysdeps/unix/sysv/linux/waitpid.c (src_t).

Detailed Description:

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
/usr/src/debug/glibc-20080305T0857/sysdeps/unix/sysv/linux/waitpid.c,

restorecon -v
'/usr/src/debug/glibc-20080305T0857/sysdeps/unix/sysv/linux/waitpid.c'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:src_t
Target Objects                /usr/src/debug/glibc-
                              20080305T0857/sysdeps/unix/sysv/linux/waitpid.c [
                              file ]
Source                        gdb
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           gdb-6.7.50.20080227-3.fc9
Target RPM Packages           glibc-debuginfo-2.7.90-9
Policy RPM                    selinux-policy-3.3.1-17.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz
                              2.6.25-0.121.rc5.git4.fc9 #1 SMP Fri Mar 14
                              22:50:25 EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 17 Mar 2008 14:58:09 CET
Last Seen                     Wed 19 Mar 2008 18:43:24 CET
Local ID                      4f1a56e0-f870-4057-a24e-43d72c15f7de
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1205948604.178:1993): avc:  denied 
{ getattr } for  pid=13737 comm="gdb"
path="/usr/src/debug/glibc-20080305T0857/sysdeps/unix/sysv/linux/waitpid.c"
dev=dm-1 ino=103845 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:src_t:s0 tclass=file

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1205948604.178:1993):
arch=c000003e syscall=4 success=no exit=-13 a0=7fff505d8890 a1=7fff505d87f0
a2=7fff505d87f0 a3=0 items=0 ppid=13736 pid=13737 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb"
exe="/usr/bin/gdb" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Comment 2 Matěj Cepl 2008-03-20 06:10:16 EDT
and one more


Summary:

SELinux is preventing gdb (xdm_t) "read" to ./waitpid.c (src_t).

Detailed Description:

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./waitpid.c,

restorecon -v './waitpid.c'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:src_t
Target Objects                ./waitpid.c [ file ]
Source                        gdb
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           gdb-6.7.50.20080227-3.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-17.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz
                              2.6.25-0.121.rc5.git4.fc9 #1 SMP Fri Mar 14
                              22:50:25 EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 17 Mar 2008 14:58:09 CET
Last Seen                     Wed 19 Mar 2008 18:43:24 CET
Local ID                      3b633921-807b-45c8-bc2e-cd9115a87720
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1205948604.304:1994): avc:  denied 
{ read } for  pid=13737 comm="gdb" name="waitpid.c" dev=dm-1 ino=103845
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:src_t:s0 tclass=file

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1205948604.304:1994):
arch=c000003e syscall=2 success=no exit=-13 a0=7fff505d8890 a1=0 a2=ffffffff
a3=0 items=0 ppid=13736 pid=13737 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb"
exe="/usr/bin/gdb" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Comment 3 Daniel Walsh 2008-03-20 09:15:38 EDT
The problem here is that you managed to login via gdm without a transition.

So you are attempting to run all of the login programs as xdm_t.  The question
is why were you able to login without transitioning to another domain.

Did you modify your pam configuration?
Is your system labeled correctly?
Comment 4 Matěj Cepl 2008-03-20 12:30:12 EDT
I have never ever touched anything in /etc/pam.d/ . Period. I am scared of
whatever is there, and I hope I will never need to see it.

[root@hubmaier ~]# rpm -qf /etc/pam.d/* |xargs rpm -V |grep '/etc/pam.d/'
prelink: /usr/libexec/gnome-screensaver-gl-helper: at least one of file's
dependencies has changed since prelinking
[root@hubmaier ~]# 

well, I will relabel again -- but I did it last week.
Comment 5 Daniel Walsh 2008-04-07 22:32:36 EDT
I think we fixed these problems while I was in BRNO and got your machine
properly setup  

Closing as Notabug.

Note You need to log in before you can comment on or make changes to this bug.