Bug 518392 - SELinux prevents debuginfo-install from running
Summary: SELinux prevents debuginfo-install from running
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jiri Moskovcak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-20 09:00 UTC by Tim Waugh
Modified: 2015-02-01 22:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-24 08:53:49 UTC


Attachments (Terms of Use)

Description Tim Waugh 2009-08-20 09:00:20 UTC
Description of problem:
I got 40 AVC messages when trying to report a crash, all of this type:

node=worm.elk type=AVC msg=audit(1250757169.719:24465): avc: denied { rename } for pid=2114 comm="debuginfo-insta" name="from_repo.tmp" dev=dm-5 ino=157272 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file

You can't run that program from the initrc_t domain.

Version-Release number of selected component (if applicable):
abrt-0.0.7.1-1.fc12.x86_64

How reproducible:
Don't know.

Similarly, abrt is tyring to to do all sorts of things it can't do in the initrc_t domain:

node=worm.elk type=AVC msg=audit(1250757314.191:24466): avc: denied { add_name } for pid=1437 comm="abrt" name="abrt-db-journal" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

Comment 1 Denys Vlasenko 2009-08-20 10:47:16 UTC
Any idea what this last message means? "Cant create 'abrt-db-journal' file" or something else?

Comment 2 Zdenek Prikryl 2009-08-20 10:54:56 UTC
imho, abrt-db-journal is created by sqlite3 during a sql transaction.

Comment 3 Tim Waugh 2009-08-20 10:59:13 UTC
The problem is that abrt is not running in an SELinux context that is allowed to write to directories with the rpm_var_lib_t SELinux file context label.

Looks like abrt doesn't have any SELinux policy written at all?

Comment 4 Daniel Novotny 2009-08-21 11:45:25 UTC
cc-ing mgrepl, who sent us his abrt policy for testing

Comment 5 Daniel Novotny 2009-08-24 08:53:49 UTC
fixed by the newest selinux-policy in rawhide


Note You need to log in before you can comment on or make changes to this bug.