Summary: SELinux is preventing the /usr/bin/abrt-pyhook-helper from using potentially mislabeled files (/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)). Detailed Description: [abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not denied.] SELinux has denied abrt-pyhook-hel access to potentially mislabeled file(s) (/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)). This means that SELinux will not allow abrt-pyhook-hel to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want abrt-pyhook-hel to access this files, you need to relabel them using restorecon -v '/tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted)'. You might want to relabel the entire directory using restorecon -R -v '/tmp'. Additional Information: Source Context unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c 1023 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects /tmp/calibre_0.6.25_wOsyUq_worker_redirect.log (deleted) [ file ] Source abrt-pyhook-hel Source Path /usr/bin/abrt-pyhook-helper Port <Unknown> Host (removed) Source RPM Packages abrt-addon-python-1.0.0-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 Alert Count 6 First Seen Fri 04 Dec 2009 01:11:09 EST Last Seen Fri 04 Dec 2009 01:11:09 EST Local ID 8ebfd817-b1e0-4f76-92f2-41e7ec7bcfc7 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1259849469.84:665): avc: denied { read } for pid=24358 comm="abrt-pyhook-hel" path=2F746D702F63616C696272655F302E362E32355F774F737955715F776F726B65725F72656469726563742E6C6F67202864656C6574656429 dev=dm-0 ino=2269862 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file node=(removed) type=AVC msg=audit(1259849469.84:665): avc: denied { read } for pid=24358 comm="abrt-pyhook-hel" path="/proc/23580/status" dev=proc ino=139768 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file node=(removed) type=AVC msg=audit(1259849469.84:665): avc: denied { write } for pid=24358 comm="abrt-pyhook-hel" path=2F686F6D652F62626165747A2F2E63616C696272655F63616C69627265204755492E6C6F636B202864656C6574656429 dev=dm-3 ino=181734 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file node=(removed) type=AVC msg=audit(1259849469.84:665): avc: denied { read write } for pid=24358 comm="abrt-pyhook-hel" path="socket:[139799]" dev=sockfs ino=139799 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=(removed) type=AVC msg=audit(1259849469.84:665): avc: denied { append } for pid=24358 comm="abrt-pyhook-hel" path="/home/bbaetz/.config/calibre/server_error_log.txt" dev=dm-3 ino=1190498 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gnome_home_t:s0 tclass=file node=(removed) type=AVC msg=audit(1259849469.84:665): avc: denied { read write } for pid=24358 comm="abrt-pyhook-hel" path="socket:[139837]" dev=sockfs ino=139837 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=udp_socket node=(removed) type=SYSCALL msg=audit(1259849469.84:665): arch=c000003e syscall=59 success=yes exit=0 a0=1b66330 a1=14919e0 a2=7fff7d55eb70 a3=61702d657262696c items=0 ppid=23631 pid=24358 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=473 sgid=473 fsgid=473 tty=(none) ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-49.fc12,home_tmp_bad_labels,abrt-pyhook-hel,abrt_helper_t,user_tmp_t,file,read audit2allow suggests: #============= abrt_helper_t ============== allow abrt_helper_t gnome_home_t:file append; allow abrt_helper_t unconfined_t:file read; allow abrt_helper_t unconfined_t:udp_socket { read write }; allow abrt_helper_t unconfined_t:unix_stream_socket { read write }; allow abrt_helper_t user_home_t:file write; allow abrt_helper_t user_tmp_t:file read;
To reproduce, start calibre 0.6.25-1 and then quit it using the tray icon (have filed bug on that) The worker_redirect_log files in a running instance have type unconfined_u:object_r:user_tmp_t:s0 However, I also get the below error - something leaking fds? (And the same error for /usr/share/X11/locale/compose.dir) SELinux is preventing /usr/bin/abrt-pyhook-helper "read" access on /usr/share/X11/locale/en_US.UTF-8/Compose. Detailed Description: [abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not denied.] SELinux denied access requested by abrt-pyhook-hel. It is not expected that this access is required by abrt-pyhook-hel and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c 1023 Target Context system_u:object_r:locale_t:s0 Target Objects /usr/share/X11/locale/en_US.UTF-8/Compose [ file ] Source abrt-pyhook-hel Source Path /usr/bin/abrt-pyhook-helper Port <Unknown> Host plum.home Source RPM Packages abrt-addon-python-1.0.0-1.fc12 Target RPM Packages libX11-common-1.3-1.fc12 Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name plum.home Platform Linux plum.home 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Fri 04 Dec 2009 01:12:25 EST Last Seen Fri 04 Dec 2009 01:12:25 EST Local ID 8e03b432-8e7e-4d44-85f1-968236abae4b Line Numbers Raw Audit Messages node=plum.home type=AVC msg=audit(1259849545.630:686): avc: denied { read } for pid=24553 comm="abrt-pyhook-hel" path="/usr/share/X11/locale/en_US.UTF-8/Compose" dev=dm-0 ino=1239643 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file node=plum.home type=SYSCALL msg=audit(1259849545.630:686): arch=c000003e syscall=59 success=yes exit=0 a0=187bda0 a1=1a5ae10 a2=7fff13061810 a3=61702d657262696c items=0 ppid=24497 pid=24553 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=473 sgid=473 fsgid=473 tty=pts1 ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)
The problem with abrt_helper_t is it is revealing all possible leaked file descriptors from any application that can crash. I am slowly finding and closing the leaks globaly, but it generates a lot of bogus AVC messages. Globaly dontauditing: Fixed in selinux-policy-3.6.32-54.fc12
abrt-1.0.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/abrt-1.0.1-1.fc12
abrt-1.0.1-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update abrt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12994