Bug 560484 - SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.
SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.
Status: CLOSED DUPLICATE of bug 546152
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:f67cfe54c97...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-31 17:27 EST by break19
Modified: 2013-02-26 03:54 EST (History)
689 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-01 10:42:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Text version of comment below (226 bytes, text/plain)
2010-08-28 14:14 EDT, mjr00002
no flags Details

  None (edit)
Description break19 2010-01-31 17:27:50 EST
Summary:

SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.

Detailed Description:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0
Target Context                system_u:object_r:abrt_etc_t:s0
Target Objects                /etc/abrt [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd (deleted)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           abrt-1.0.4-1.fc12
Policy RPM                    selinux-policy-3.6.32-78.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.x86_64 #1
                              SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Sun 31 Jan 2010 10:51:54 AM CST
Last Seen                     Sun 31 Jan 2010 10:51:54 AM CST
Local ID                      79a17fff-b3f3-4a9b-abca-1091307095b0
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1264956714.71:42421): avc:  denied  { write } for  pid=1518 comm="abrtd" name="abrt" dev=dm-2 ino=33859 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1264956714.71:42421): avc:  denied  { add_name } for  pid=1518 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1264956714.71:42421): avc:  denied  { create } for  pid=1518 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1264956714.71:42421): arch=c000003e syscall=2 success=yes exit=9 a0=7f2d2dece5f5 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=1518 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0 key=(null)



Hash String generated from  catchall,abrtd,abrt_t,abrt_etc_t,dir,write
audit2allow suggests:

#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# abrt_var_run_t, tmp_t, var_t, abrt_tmp_t, var_run_t, rpm_var_cache_t, abrt_var_cache_t, var_log_t, abrt_var_log_t, rpm_var_run_t, root_t

allow abrt_t abrt_etc_t:dir { write add_name };
allow abrt_t abrt_etc_t:file create;
Comment 1 Juan Saavedra 2010-01-31 19:45:43 EST
Same here....
It happened after updating.
Resúmen:

SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.

Descripción Detallada:

[abrtd es un tipo permisivo (abrt_t). Este acceso no fue denegado.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Permitiendo Acceso:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Información Adicional:

Contexto Fuente               system_u:system_r:abrt_t:s0
Contexto Destino              system_u:object_r:abrt_etc_t:s0
Objetos Destino               /etc/abrt [ dir ]
Fuente                        abrtd
Dirección de Fuente          /usr/sbin/abrtd (deleted)
Puerto                        <Desconocido>
Nombre de Equipo              (removed)
Paquetes RPM Fuentes          
Paquetes RPM Destinos         abrt-1.0.3-1.fc12
RPM de Políticas             selinux-policy-3.6.32-66.fc12
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Enforcing
Nombre de Plugin              catchall
Nombre de Equipo              (removed)
Plataforma                    Linux lapxot 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov
                              7 21:41:45 EST 2009 i686 i686
Cantidad de Alertas           3
Visto por Primera Vez         sáb 16 ene 2010 17:40:38 UYST
Visto por Última Vez         sáb 16 ene 2010 17:40:38 UYST
ID Local                      037dda8c-fd53-4ab1-bb55-e8b103bf1ca5
Números de Línea            

Mensajes de Auditoría Crudos 

node=lapxot type=AVC msg=audit(1263670838.568:20519): avc:  denied  { write } for  pid=1268 comm="abrtd" name="abrt" dev=sda6 ino=23447 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=lapxot type=AVC msg=audit(1263670838.568:20519): avc:  denied  { add_name } for  pid=1268 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=lapxot type=AVC msg=audit(1263670838.568:20519): avc:  denied  { create } for  pid=1268 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file

node=lapxot type=SYSCALL msg=audit(1263670838.568:20519): arch=40000003 syscall=5 success=yes exit=9 a0=1c30b9 a1=8241 a2=1b6 a3=544e629 items=0 ppid=1 pid=1268 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0 key=(null)
Comment 2 Miroslav Grepl 2010-02-01 10:42:16 EST

*** This bug has been marked as a duplicate of bug 546152 ***
Comment 3 Chris Campbell 2010-02-26 15:08:16 EST
This occured for me after I loaded GoogleEarth. A bunch of SELinux errors occured, and I fixed all of them via restorecon commands. Then, GoogleEarth started successfully, and this alert popped up.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 4 Daniel Walsh 2010-02-26 15:16:23 EST
Chris just yum update to the latest code and you should be allright.
Comment 5 Chris Campbell 2010-02-26 17:49:49 EST
Done and am, thank you.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 6 hibbault 2010-02-28 12:10:30 EST
i've got the same problem.

Summary:

SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on abrt.

Detailed Description:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0
Target Context                system_u:object_r:abrt_etc_t:s0
Target Objects                abrt [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd (deleted)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux hibbault 2.6.31.5-127.fc12.i686 #1 SMP Sat
                              Nov 7 21:41:45 EST 2009 i686 i686
Alert Count                   3
First Seen                    Sun 28 Feb 2010 06:51:05 PM EET
Last Seen                     Sun 28 Feb 2010 06:51:05 PM EET
Local ID                      71d0ff88-c782-43e4-9715-32f75ea6be2b
Line Numbers                  

Raw Audit Messages            

node=hibbault type=AVC msg=audit(1267375865.191:39186): avc:  denied  { write } for  pid=1345 comm="abrtd" name="abrt" dev=dm-0 ino=23447 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=hibbault type=AVC msg=audit(1267375865.191:39186): avc:  denied  { add_name } for  pid=1345 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=hibbault type=AVC msg=audit(1267375865.191:39186): avc:  denied  { create } for  pid=1345 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file

node=hibbault type=SYSCALL msg=audit(1267375865.191:39186): arch=40000003 syscall=5 success=yes exit=9 a0=6090b9 a1=8241 a2=1b6 a3=413ec9 items=0 ppid=1 pid=1345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0 key=(null)
Comment 7 Justin 2010-03-11 06:23:06 EST
yes me too.....
any one know when they gunna fix it ????

Summary:

SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.

Detailed Description:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0
Target Context                system_u:object_r:abrt_etc_t:s0
Target Objects                /etc/abrt [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd (deleted)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           abrt-1.0.8-2.fc12
Policy RPM                    selinux-policy-3.6.32-92.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux Justin 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov
                              7 21:41:45 EST 2009 i686 i686
Alert Count                   3
First Seen                    Thu 11 Mar 2010 10:13:28 PM EST
Last Seen                     Thu 11 Mar 2010 10:13:28 PM EST
Local ID                      a0826e76-13aa-445d-b094-8b617f57deec
Line Numbers                  

Raw Audit Messages            

node=Justin type=AVC msg=audit(1268306008.580:77): avc:  denied  { write } for  pid=1187 comm="abrtd" name="abrt" dev=dm-0 ino=23447 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=Justin type=AVC msg=audit(1268306008.580:77): avc:  denied  { add_name } for  pid=1187 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=Justin type=AVC msg=audit(1268306008.580:77): avc:  denied  { create } for  pid=1187 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file

node=Justin type=SYSCALL msg=audit(1268306008.580:77): arch=40000003 syscall=5 success=yes exit=10 a0=2770b9 a1=8241 a2=1b6 a3=4f48629 items=0 ppid=1 pid=1187 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0 key=(null)
Comment 8 Daniel Walsh 2010-03-11 09:38:57 EST
It is fixed.  This happens one time when you update to the lastest abrt it should go away and never happen again.
Comment 9 iggynelix 2010-03-11 20:29:07 EST
This just happened to me on a fresh F12 install from Live CD with yum update.  1st shot out of the box should not give an error like this. Its disturbing to newbies, upgraders and converters.  Can we either register the allowance with SELinux or pull the offending program from the distro?
Comment 10 Daniel Walsh 2010-03-12 08:35:13 EST
Your asking us to fix a bug without updating software????

We can not change the Old F12 install.    With a respin it should not happen.
Comment 11 Toshi 2010-03-13 03:23:38 EST
Fresh install. updated PackageKit. Updated all updates listed in the Update Manager. I recieved this error, and not to soon after received a network manager error.   I am very new to linux and fedora and have very little knowledge when it comes to understanding where to look for certain files.   I would like to know how to fix this bug.

$ rpm -q abrt
abrt-1.0.8-2.fc12.i686


This is the version I am using according to the instructions I found online to check the version. 

Please let me know what next steps I need to take.
Comment 12 Scott M. Sanders 2010-03-18 13:14:07 EDT
I install to VirtualBox with Fedora-12-i686-Live.iso, GNOME Software Update is broken already (separate bug) so drop to terminal and enter "su", then my root password, then "yum update", wait about half a day for ~500 updates, then I get this ABR, every time.
Comment 13 brock 2010-03-20 07:50:32 EDT
Fresh install of Fedora 12 x86_64 from installation DVD. (NOT the live version)
Enabled wired ethernet.
yum upgrade yum*
yum upgrade
reboot
SELinux error icon shows up.
Clicked Report this Bug... button
Was directed to this bugzilla item to add comments...

Installation was on an HP dv6-2164ca notebook computer. (AMD Turion II x2 M660 2.7GHz, Radeon 1GB graphics, 4GB RAM, 1366x768 display)
Comment 14 e_antrobus 2010-03-21 06:34:19 EDT
Have been getting this error everytime I turn on my computer.  I installed Fedora 12 from a Live CD (keeping my /home partition from my Fedora 11 installation.  I have updated everything available through yum, and still getting this SELinux error.

Intel Pentium 4 2.26GHz, Radeon 9600 256MB graphics, 2GB RAM, static IP address on home network.
Comment 15 Daniel Walsh 2010-03-22 11:58:32 EDT
rpm -q abrt
Comment 16 e_antrobus 2010-03-27 08:40:04 EDT
abrt-1.0.8-2.fc12.i686

I found your advice in Bug 546152 (comment 29) about removing the .setroubleshoot file and haven't had the error since.
Comment 17 John 2010-03-27 13:12:41 EDT
Couldn't update any critical Updates and as mentioned above found a resolve on the Fedora  Site. Which installed and re-installed(Missing Files) Fedora 12, then a yum check-update and everything is great now!
Comment 18 Chris Campbell 2010-03-27 17:48:52 EDT

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 19 zoyer 2010-04-11 22:22:15 EDT
 hola, estaba ejecutando y me aparecio esto, soy chileno y lamentablemente no se ingles, si alguien por ahi habla español y me pudiera ayudar se lo agradeceria.


Resúmen:

SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.

Descripción Detallada:

[abrtd es un tipo permisivo (abrt_t). Este acceso no fue denegado.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Permitiendo Acceso:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Información Adicional:

Contexto Fuente               system_u:system_r:abrt_t:s0
Contexto Destino              system_u:object_r:abrt_etc_t:s0
Objetos Destino               /etc/abrt [ dir ]
Fuente                        abrtd
Dirección de Fuente          /usr/sbin/abrtd (deleted)
Puerto                        <Desconocido>
Nombre de Equipo              (removed)
Paquetes RPM Fuentes          
Paquetes RPM Destinos         abrt-1.0.8-2.fc12
RPM de Políticas             selinux-policy-3.6.32-108.fc12
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Enforcing
Nombre de Plugin              catchall
Nombre de Equipo              (removed)
Plataforma                    Linux NB-Pipe 2.6.31.5-127.fc12.i686.PAE #1 SMP
                              Sat Nov 7 21:25:57 EST 2009 i686 i686
Cantidad de Alertas           3
Visto por Primera Vez         dom 11 abr 2010 21:40:11 CLT
Visto por Última Vez         dom 11 abr 2010 21:40:11 CLT
ID Local                      6931b142-bfc9-4d2b-bccb-098c3f54c8c2
Números de Línea            

Mensajes de Auditoría Crudos 

node=NB-Pipe type=AVC msg=audit(1271036411.115:31668): avc:  denied  { write } for  pid=1207 comm="abrtd" name="abrt" dev=sda1 ino=59737 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=NB-Pipe type=AVC msg=audit(1271036411.115:31668): avc:  denied  { add_name } for  pid=1207 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=NB-Pipe type=AVC msg=audit(1271036411.115:31668): avc:  denied  { create } for  pid=1207 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file

node=NB-Pipe type=SYSCALL msg=audit(1271036411.115:31668): arch=40000003 syscall=5 success=yes exit=9 a0=16e0b9 a1=8241 a2=1b6 a3=4426649 items=0 ppid=1 pid=1207 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0 key=(null)
Comment 20 János Schneider 2010-04-25 08:47:16 EDT
Happened to me during the update of a fresh fedora 12 install.
Comment 21 Jose Edgar 2010-04-25 12:28:53 EDT
(In reply to comment #20)
> Happened to me during the update of a fresh fedora 12 install.    

yes
Comment 22 Exarchakis Georgios 2010-04-28 15:38:05 EDT
(In reply to comment #20)
> Happened to me during the update of a fresh fedora 12 install.    

The same happened to me
In fact the first time I installed fedora 12 I tried to update from 
System>Administration>Software Updates
and it started a lot of file browsers.
I am not sure if it is the same bug but it always happens when I try to update like that.
Eventually, I reinstalled the system.
Now it doesn't give me too much trouble.
I hope this helps
Comment 23 cschwangler 2010-04-29 05:27:53 EDT
This problem happens every time I am logging into a fully updated (using updates-testing) system shortly after the desktop is fully loaded. My abrt package is abrt-gui-1.0.9-1.fc12.i686.
Comment 24 ventiman 2010-05-01 15:14:52 EDT
This problem happens every time I boot up.Have not a clue to what caused it.
Comment 25 sam 2010-06-17 16:20:17 EDT
hi,,, not sure how I go about doing this,,, as i been getting this for a while now, and i was not all that sure how to go about fixing it... ere goes any way ,,,

i was listening to a radio stream using real radio player on the favourites list

but i been gettin this one and others for a while now... no idea what im doing with linux only had fedora I2 on my laptop 4 days now ,,,, and that inludes ALLLLLL of my linux experience
Comment 26 harold molly 2010-06-18 06:54:10 EDT
It ocurred to me that;
SElinux is not quite friendly, on packages violating its rules, mostly non Fedora packages.Very good. I consider the Live version,a demo version. Still have to figure out why, but the sequence yum update, yum check, editing SElinux boolean's and eventually do a reorganizing prelink,after a major update(upgrade),works.
Reinstalling a disruptive package, seems to do the trick as well, sometimes.
Maybe we need the possibility in SE, to grant "Fedora strange" packages, additional authority, selectively in the gui, without having to engage this cryptic "generate a local policy module to allow access" routine.
Comment 27 Daniel Walsh 2010-06-18 10:07:56 EDT
Are you guys fully up to date with your packages?

yum -y update
Comment 28 mjr00002 2010-08-28 14:14:10 EDT
Created attachment 441722 [details]
Text version of comment below

Bug 560484 came back after I modified my System/Preferences/Startup Applications/Options to "Automatically remember running applications when logging out". This was about the only change to my system I've made in a long time.
Comment 29 Irwin 2012-08-26 01:12:26 EDT
This happened after an update of Chrome browser.
Comment 30 Irwin 2012-08-26 01:12:42 EDT
This happened after an update of Chrome browser.

Note You need to log in before you can comment on or make changes to this bug.