I know use of gdb is questionable for staff_u to say the least, OTOH this AVC denial was caused by bug-buddy when collecting information about crashing application (ekiga in this case). Aren't normal users supposed to do at least that? ----- SELinux is preventing gdb (staff_t) "read" src_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:src_t:s0 Objekty cíle waitpid.c [ file ] Zdroj gdb Cesta zdroje /usr/bin/gdb Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje gdb-6.8.50.20090302-21.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-34.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.2-126.fc11.x86_64 #1 SMP Mon May 4 04:46:15 EDT 2009 x86_64 x86_64 Počet upozornění 2 Poprvé viděno Út 12. květen 2009, 11:08:51 CEST Naposledy viděno Út 12. květen 2009, 11:08:51 CEST Místní ID 01d4c171-496b-45d1-bdcf-56c6032485e2 Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1242119331.93:70): avc: denied { read } for pid=6210 comm="gdb" name="waitpid.c" dev=dm-0 ino=191512 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:src_t:s0 tclass=file node=viklef.ceplovi.cz type=AVC msg=audit(1242119331.93:70): avc: denied { open } for pid=6210 comm="gdb" name="waitpid.c" dev=dm-0 ino=191512 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:src_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1242119331.93:70): arch=c000003e syscall=2 success=no exit=307027928 a0=7fff997dc000 a1=0 a2=7fff997dbf60 a3=0 items=0 ppid=1 pid=6210 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="gdb" exe="/usr/bin/gdb" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.12-35.fc11.noarch
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping