Bug 500327 - (staff_u) SELinux is preventing gdb (staff_t) "read" src_t.
Summary: (staff_u) SELinux is preventing gdb (staff_t) "read" src_t.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-12 09:56 UTC by Matěj Cepl
Modified: 2018-04-11 11:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-18 13:09:35 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Matěj Cepl 2009-05-12 09:56:59 UTC 
I know use of gdb is questionable for staff_u to say the least, OTOH this AVC denial was caused by bug-buddy when collecting information about crashing application (ekiga in this case). Aren't normal users supposed to do at least that?

-----
SELinux is preventing gdb (staff_t) "read" src_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:src_t:s0
Objekty cíle                 waitpid.c [ file ]
Zdroj                         gdb
Cesta zdroje                  /usr/bin/gdb
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          gdb-6.8.50.20090302-21.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-34.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.2-126.fc11.x86_64
                              #1 SMP Mon May 4 04:46:15 EDT 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Út 12. květen 2009, 11:08:51 CEST
Naposledy viděno             Út 12. květen 2009, 11:08:51 CEST
Místní ID                   01d4c171-496b-45d1-bdcf-56c6032485e2
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1242119331.93:70): avc:  denied  { read } for  pid=6210 comm="gdb" name="waitpid.c" dev=dm-0 ino=191512 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:src_t:s0 tclass=file

node=viklef.ceplovi.cz type=AVC msg=audit(1242119331.93:70): avc:  denied  { open } for  pid=6210 comm="gdb" name="waitpid.c" dev=dm-0 ino=191512 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:src_t:s0 tclass=file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1242119331.93:70): arch=c000003e syscall=2 success=no exit=307027928 a0=7fff997dc000 a1=0 a2=7fff997dbf60 a3=0 items=0 ppid=1 pid=6210 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="gdb" exe="/usr/bin/gdb" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-05-12 13:19:34 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-35.fc11.noarch
Comment 2 Bug Zapper 2009-06-09 15:40:30 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Note You need to log in before you can comment on or make changes to this bug.