Bug 539566 - SELinux is preventing abrt-pyhook-hel "read write" access on 1.
Summary: SELinux is preventing abrt-pyhook-hel "read write" access on 1.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: 12
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karel Klíč
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:f6448da7cc7...
: 541488 541671 541720 542079 542574 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-20 15:46 UTC by Michal Nowak
Modified: 2013-03-08 02:07 UTC (History)
16 users (show)

Fixed In Version: abrt-1.1.13-1.fc12
Clone Of:
Environment:
Last Closed: 2010-08-17 05:27:46 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Michal Nowak 2009-11-20 15:46:20 UTC 
Summary:

SELinux is preventing abrt-pyhook-hel "read write" access on 1.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by abrt-pyhook-hel. It is not expected that this
access is required by abrt-pyhook-hel and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:abrt_helper_t:s0
Target Context                unconfined_u:object_r:user_devpts_t:s0
Target Objects                1 [ chr_file ]
Source                        abrt-pyhook-hel
Source Path                   abrt-pyhook-hel
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-46.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
Alert Count                   5
First Seen                    Fri 20 Nov 2009 04:46:46 PM CET
Last Seen                     Fri 20 Nov 2009 04:46:46 PM CET
Local ID                      74b96abf-cfa0-48f0-bd0c-56f01d7a92ae
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258732006.370:2998): avc:  denied  { read write } for  pid=19874 comm="abrt-pyhook-hel" name="1" dev=devpts ino=4 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file

node=(removed) type=AVC msg=audit(1258732006.370:2998): avc:  denied  { read write } for  pid=19874 comm="abrt-pyhook-hel" path="socket:[22471039]" dev=sockfs ino=22471039 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_dgram_socket

node=(removed) type=AVC msg=audit(1258732006.370:2998): avc:  denied  { read } for  pid=19874 comm="abrt-pyhook-hel" path=2F746D702F666669635073746A67202864656C6574656429 dev=dm-1 ino=2048806 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1258732006.370:2998): avc:  denied  { write } for  pid=19874 comm="abrt-pyhook-hel" path="/home/newman/tmp/gold-rebuild/package_cache/builddeps/bzip2-1.0.5-6.fc12.src.rpm" dev=dm-1 ino=2304621 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1258732006.370:2998): avc:  denied  { read write } for  pid=19874 comm="abrt-pyhook-hel" path="socket:[22472602]" dev=sockfs ino=22472602 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket



Hash String generated from  selinux-policy-3.6.32-46.fc12,catchall,abrt-pyhook-hel,abrt_helper_t,user_devpts_t,chr_file,read,write
audit2allow suggests:

#============= abrt_helper_t ==============
allow abrt_helper_t unconfined_t:tcp_socket { read write };
allow abrt_helper_t unconfined_t:unix_dgram_socket { read write };
allow abrt_helper_t user_devpts_t:chr_file { read write };
allow abrt_helper_t user_home_t:file write;
allow abrt_helper_t user_tmp_t:file read;
Comment 1 Michal Nowak 2009-11-20 15:49:48 UTC 
I had yumdownloader downloading srpms, then I pressed Ctrl+S to stop the output, then Ctrl+C and then Ctrl+Q to enable output from yumdownloader. But un-handled exception occurred:

brltty-4.1-3.fc12.src.rpm                                                                                                             | 2.0 MB     00:02     
btrfs-progs-0.19-9.fc12.src.rpm                                                                                                       | 132 kB     00:01     
^CTraceback (most recent call last):                            68% [=====================================                 ] 238 kB/s | 574 kB     00:01 ETA 
  File "/usr/lib/python2.6/site-packages/urlgrabber/grabber.py", line 1534, in _progress_update
    self.opts.progress_obj.update(downloaded)
  File "/usr/share/yum-cli/output.py", line 68, in update
    TextMeter.update(self, amount_read, now)
  File "/usr/lib/python2.6/site-packages/urlgrabber/progress.py", line 141, in update
    self._do_update(amount_read, now)
  File "/usr/lib/python2.6/site-packages/urlgrabber/progress.py", line 271, in _do_update
    self.fo.flush()
IOError: [Errno 4] Interrupted system call
+ echo 'Error: Failed to download SRPM packages, investigate'
Error: Failed to download SRPM packages, investigate
+ exit 1


(yumdownloader was running inside bash script actually)

abrt-applet popped up as well as AVC msg.
Comment 2 Daniel Walsh 2009-11-20 17:07:06 UTC 
This is the problem with the abrt helper.  It is causing SELinux to report all sorts of leaks.  Applications don't expect to be doing a fork/exec and thus don't close file descriptors on exec.  When they crash SELinux closes all sorts of file descriptors, that I don't want to close.  Can't we write this as a unix domain socket that will just accept connections.
Comment 3 Miroslav Grepl 2009-11-27 13:17:39 UTC 
*** Bug 541671 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2009-11-27 13:18:51 UTC 
*** Bug 541488 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2009-11-27 13:20:20 UTC 
*** Bug 541720 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2009-11-30 12:01:55 UTC 
*** Bug 542574 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2009-11-30 12:04:02 UTC 
*** Bug 542079 has been marked as a duplicate of this bug. ***
Comment 8 Karel Klíč 2010-06-09 15:36:50 UTC 
Uncaught Python exceptions are now sent to ABRT daemon via socket.
Fixed in upstream git.
SELinux policy has been updated by Mirek Grepl.
Comment 9 Fedora Update System 2010-08-11 11:08:38 UTC 
abrt-1.1.13-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc14
Comment 10 Fedora Update System 2010-08-12 12:57:23 UTC 
abrt-1.1.13-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc13
Comment 11 Fedora Update System 2010-08-12 19:51:39 UTC 
abrt-1.1.13-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update abrt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc14
Comment 12 Fedora Update System 2010-08-16 14:06:01 UTC 
abrt-1.1.13-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc12
Comment 13 Fedora Update System 2010-08-17 05:26:16 UTC 
abrt-1.1.13-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2010-08-20 13:30:35 UTC 
abrt-1.1.13-2.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/abrt-1.1.13-2.fc14
Comment 15 Fedora Update System 2010-08-24 01:11:12 UTC 
abrt-1.1.13-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-08-24 21:16:54 UTC 
abrt-1.1.13-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.