Bug 550523 - SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.
Summary: SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.
Keywords:
Status: CLOSED DUPLICATE of bug 546152
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jiri Moskovcak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:7f98012e3f6...
: 550574 551782 553237 553823 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-25 20:22 UTC by mamii
Modified: 2015-02-01 22:50 UTC (History)
222 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-15 13:46:09 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description mamii 2009-12-25 20:22:42 UTC 
Summary:

SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.

Detailed Description:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:abrt_etc_t:s0
Target Objects                /etc/abrt [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd (deleted)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           abrt-1.0.2-1.fc12
Policy RPM                    selinux-policy-3.6.32-63.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.9-174.fc12.i686.PAE #1
                              SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686
Alert Count                   3
First Seen                    الخميس 24 كانون الأول 2009
                              20:55:05
Last Seen                     الخميس 24 كانون الأول 2009
                              20:55:05
Local ID                      7ff468f8-b2ac-4496-a0c3-ce37b349b398
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1261684505.50:24581): avc:  denied  { write } for  pid=1527 comm="abrtd" name="abrt" dev=dm-0 ino=23447 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1261684505.50:24581): avc:  denied  { add_name } for  pid=1527 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1261684505.50:24581): avc:  denied  { create } for  pid=1527 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1261684505.50:24581): arch=40000003 syscall=5 success=yes exit=9 a0=2a80c9 a1=8241 a2=1b6 a3=3172629 items=0 ppid=1 pid=1527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-63.fc12,catchall,abrtd,abrt_t,abrt_etc_t,dir,write
audit2allow suggests:
audit2allow is not installed.
Comment 1 Daniel Walsh 2010-01-04 14:47:20 UTC 
*** Bug 551782 has been marked as a duplicate of this bug. ***
Comment 2 Jiri Moskovcak 2010-01-06 09:15:51 UTC 
Many users are going to see this AVC when updating from 1.0.0 because I pushed a new version to stable yesterday.
Comment 3 Jiri Moskovcak 2010-01-07 14:06:54 UTC 
*** Bug 553237 has been marked as a duplicate of this bug. ***
Comment 4 Nicola Soranzo 2010-01-08 00:15:15 UTC 
*** Bug 550574 has been marked as a duplicate of this bug. ***
Comment 5 Jiri Moskovcak 2010-01-11 14:26:20 UTC 
*** Bug 553823 has been marked as a duplicate of this bug. ***
Comment 6 Bob Goodwin 2010-01-13 20:49:15 UTC 
I am seeing this same problem after today's F-12 update. I have seen no SElinux warnings before this.

Linux box6 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
Comment 9 Daniel Walsh 2010-01-15 13:46:09 UTC 

*** This bug has been marked as a duplicate of bug 546152 ***
Comment 10 Spyros C. Kouris 2010-01-30 05:15:18 UTC 
My system was up to date on 29/01/10 and today after the 30/01/10 update i have seen the same bug. That happened after the restart (after update)
Comment 11 Rüdiger Schmitt 2010-02-04 09:40:12 UTC 
Same behavior here. After an update - I don‘t know when anymore - after log-in I get the SELinux-Message with another message about wine-prestarter wants to do "an unsafe memory operation". Actually I've removed all wine (incl. the directories in my home-directory) and the same bug appears after restarting my system. New labeling didn‘t help.
Comment 12 jul 2010-04-07 21:25:43 UTC 
(In reply to comment #2)
> Many users are going to see this AVC when updating from 1.0.0 because I pushed
> a new version to stable yesterday.    

Then what should we do?
Comment 13 Nicola Soranzo 2010-04-08 09:35:37 UTC 
(In reply to comment #12)
> (In reply to comment #2)
> > Many users are going to see this AVC when updating from 1.0.0 because I pushed
> > a new version to stable yesterday.    
> 
> Then what should we do?    

Hi jul,
this bug as been closed as a duplicate, you should refer to bug 546152.
Note You need to log in before you can comment on or make changes to this bug.