Bug 500327 - (staff_u) SELinux is preventing gdb (staff_t) "read" src_t.
(staff_u) SELinux is preventing gdb (staff_t) "read" src_t.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-12 05:56 EDT by Matěj Cepl
Modified: 2009-11-18 08:09 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:09:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2009-05-12 05:56:59 EDT
I know use of gdb is questionable for staff_u to say the least, OTOH this AVC denial was caused by bug-buddy when collecting information about crashing application (ekiga in this case). Aren't normal users supposed to do at least that?

-----
SELinux is preventing gdb (staff_t) "read" src_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by gdb. It is not expected that this access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:src_t:s0
Objekty cíle                 waitpid.c [ file ]
Zdroj                         gdb
Cesta zdroje                  /usr/bin/gdb
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          gdb-6.8.50.20090302-21.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-34.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.2-126.fc11.x86_64
                              #1 SMP Mon May 4 04:46:15 EDT 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Út 12. květen 2009, 11:08:51 CEST
Naposledy viděno             Út 12. květen 2009, 11:08:51 CEST
Místní ID                   01d4c171-496b-45d1-bdcf-56c6032485e2
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1242119331.93:70): avc:  denied  { read } for  pid=6210 comm="gdb" name="waitpid.c" dev=dm-0 ino=191512 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:src_t:s0 tclass=file

node=viklef.ceplovi.cz type=AVC msg=audit(1242119331.93:70): avc:  denied  { open } for  pid=6210 comm="gdb" name="waitpid.c" dev=dm-0 ino=191512 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:src_t:s0 tclass=file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1242119331.93:70): arch=c000003e syscall=2 success=no exit=307027928 a0=7fff997dc000 a1=0 a2=7fff997dbf60 a3=0 items=0 ppid=1 pid=6210 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="gdb" exe="/usr/bin/gdb" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-05-12 09:19:34 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-35.fc11.noarch
Comment 2 Bug Zapper 2009-06-09 11:40:30 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.