Bug 543923 - SELinux is preventing the /usr/bin/abrt-pyhook-helper from using potentially mislabeled files (/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)).
Summary: SELinux is preventing the /usr/bin/abrt-pyhook-helper from using potentially ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: 12
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jiri Moskovcak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e3a75ec5bce...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-03 14:15 UTC by Bradley
Modified: 2015-02-01 22:50 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-23 12:53:47 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Bradley 2009-12-03 14:15:35 UTC
Summary:

SELinux is preventing the /usr/bin/abrt-pyhook-helper from using potentially
mislabeled files (/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)).

Detailed Description:

[abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not
denied.]

SELinux has denied abrt-pyhook-hel access to potentially mislabeled file(s)
(/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)). This means that
SELinux will not allow abrt-pyhook-hel to use these files. It is common for
users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want abrt-pyhook-hel to access this files, you need to relabel them using
restorecon -v '/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)'. You
might want to relabel the entire directory using restorecon -R -v '/tmp'.

Additional Information:

Source Context                unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c
                              1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /tmp/calibre_0.6.25_wOsyUq_worker_redirect.log
                              (deleted) [ file ]
Source                        abrt-pyhook-hel
Source Path                   /usr/bin/abrt-pyhook-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           abrt-addon-python-1.0.0-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-49.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.6-145.fc12.x86_64 #1 SMP
                              Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64
Alert Count                   6
First Seen                    Fri 04 Dec 2009 01:11:09 EST
Last Seen                     Fri 04 Dec 2009 01:11:09 EST
Local ID                      8ebfd817-b1e0-4f76-92f2-41e7ec7bcfc7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1259849469.84:665): avc:  denied  { read } for  pid=24358 comm="abrt-pyhook-hel" path=2F746D702F63616C696272655F302E362E32355F774F737955715F776F726B65725F72656469726563742E6C6F67202864656C6574656429 dev=dm-0 ino=2269862 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1259849469.84:665): avc:  denied  { read } for  pid=24358 comm="abrt-pyhook-hel" path="/proc/23580/status" dev=proc ino=139768 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file

node=(removed) type=AVC msg=audit(1259849469.84:665): avc:  denied  { write } for  pid=24358 comm="abrt-pyhook-hel" path=2F686F6D652F62626165747A2F2E63616C696272655F63616C69627265204755492E6C6F636B202864656C6574656429 dev=dm-3 ino=181734 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1259849469.84:665): avc:  denied  { read write } for  pid=24358 comm="abrt-pyhook-hel" path="socket:[139799]" dev=sockfs ino=139799 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=(removed) type=AVC msg=audit(1259849469.84:665): avc:  denied  { append } for  pid=24358 comm="abrt-pyhook-hel" path="/home/bbaetz/.config/calibre/server_error_log.txt" dev=dm-3 ino=1190498 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gnome_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1259849469.84:665): avc:  denied  { read write } for  pid=24358 comm="abrt-pyhook-hel" path="socket:[139837]" dev=sockfs ino=139837 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=udp_socket

node=(removed) type=SYSCALL msg=audit(1259849469.84:665): arch=c000003e syscall=59 success=yes exit=0 a0=1b66330 a1=14919e0 a2=7fff7d55eb70 a3=61702d657262696c items=0 ppid=23631 pid=24358 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=473 sgid=473 fsgid=473 tty=(none) ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-49.fc12,home_tmp_bad_labels,abrt-pyhook-hel,abrt_helper_t,user_tmp_t,file,read
audit2allow suggests:

#============= abrt_helper_t ==============
allow abrt_helper_t gnome_home_t:file append;
allow abrt_helper_t unconfined_t:file read;
allow abrt_helper_t unconfined_t:udp_socket { read write };
allow abrt_helper_t unconfined_t:unix_stream_socket { read write };
allow abrt_helper_t user_home_t:file write;
allow abrt_helper_t user_tmp_t:file read;

Comment 1 Bradley 2009-12-03 14:21:15 UTC
To reproduce, start calibre 0.6.25-1 and then quit it using the tray icon (have filed bug on that)

The worker_redirect_log files in a running instance have type unconfined_u:object_r:user_tmp_t:s0

However, I also get the below error - something leaking fds?

(And the same error for /usr/share/X11/locale/compose.dir)

SELinux is preventing /usr/bin/abrt-pyhook-helper "read" access on
/usr/share/X11/locale/en_US.UTF-8/Compose.

Detailed Description:

[abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not
denied.]

SELinux denied access requested by abrt-pyhook-hel. It is not expected that this
access is required by abrt-pyhook-hel and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c
                              1023
Target Context                system_u:object_r:locale_t:s0
Target Objects                /usr/share/X11/locale/en_US.UTF-8/Compose [ file ]
Source                        abrt-pyhook-hel
Source Path                   /usr/bin/abrt-pyhook-helper
Port                          <Unknown>
Host                          plum.home
Source RPM Packages           abrt-addon-python-1.0.0-1.fc12
Target RPM Packages           libX11-common-1.3-1.fc12
Policy RPM                    selinux-policy-3.6.32-49.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     plum.home
Platform                      Linux plum.home 2.6.31.6-145.fc12.x86_64 #1 SMP
                              Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 04 Dec 2009 01:12:25 EST
Last Seen                     Fri 04 Dec 2009 01:12:25 EST
Local ID                      8e03b432-8e7e-4d44-85f1-968236abae4b
Line Numbers                  

Raw Audit Messages            

node=plum.home type=AVC msg=audit(1259849545.630:686): avc:  denied  { read } for  pid=24553 comm="abrt-pyhook-hel" path="/usr/share/X11/locale/en_US.UTF-8/Compose" dev=dm-0 ino=1239643 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file

node=plum.home type=SYSCALL msg=audit(1259849545.630:686): arch=c000003e syscall=59 success=yes exit=0 a0=187bda0 a1=1a5ae10 a2=7fff13061810 a3=61702d657262696c items=0 ppid=24497 pid=24553 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=473 sgid=473 fsgid=473 tty=pts1 ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)

Comment 2 Daniel Walsh 2009-12-03 15:22:45 UTC
The problem with abrt_helper_t is it is revealing all possible leaked file descriptors from any application that can crash.

I am slowly finding and closing the leaks globaly, but it generates a lot of bogus AVC messages.

Globaly dontauditing:

Fixed in selinux-policy-3.6.32-54.fc12

Comment 3 Fedora Update System 2009-12-08 18:50:03 UTC
abrt-1.0.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/abrt-1.0.1-1.fc12

Comment 4 Fedora Update System 2009-12-10 04:21:54 UTC
abrt-1.0.1-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update abrt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12994


Note You need to log in before you can comment on or make changes to this bug.