Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 592576 - SELinux is preventing /usr/sbin/abrtd "read" access on Packages.
SELinux is preventing /usr/sbin/abrtd "read" access on Packages.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:c5f17a0f6ed...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-15 09:48 EDT by spider
Modified: 2010-06-16 10:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-16 10:47:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description spider 2010-05-15 09:48:29 EDT
概述:

SELinux is preventing /usr/sbin/abrtd "read" access on Packages.

详细描述:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

允许访问:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

附加信息:

源上下文                  system_u:system_r:abrt_t:s0
目标上下文               system_u:object_r:var_t:s0
目标对象                  Packages [ file ]
源                           abrtd
源路径                     /usr/sbin/abrtd
端口                        <未知>
主机                        (removed)
源 RPM 软件包             
目标 RPM 软件包          
策略 RPM                    <未知>
启用 Selinux                True
策略类型                  targeted
启用 MLS                    True
Enforcing 模式              Enforcing
插件名称                  catchall
主机名                     (removed)
平台                        Linux (removed) 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat
                              Nov 7 21:25:57 EST 2009 i686 athlon
警报计数                  2
第一个                     2010年05月14日 星期五 14时22分33秒
最后一个                  2010年05月14日 星期五 14时22分33秒
本地 ID                     be3ecd5e-4651-4f9c-b115-56242db2044b
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1273861353.344:19910): avc:  denied  { read } for  pid=1104 comm="abrtd" name="Packages" dev=sda9 ino=16 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1273861353.344:19910): avc:  denied  { open } for  pid=1104 comm="abrtd" name="Packages" dev=sda9 ino=16 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1273861353.344:19910): arch=40000003 syscall=5 success=yes exit=9 a0=8ae8330 a1=8000 a2=0 a3=1 items=0 ppid=1 pid=1104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0 key=(null)



Hash String generated from  None,catchall,abrtd,abrt_t,var_t,file,read
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t var_t:file { read open };
Comment 1 Daniel Walsh 2010-05-17 10:31:41 EDT
Any idea where the file Packages is located?

What version of selinux-policy do you have installed?

rpm -q selinux-policy
Comment 2 C. M. Trindade 2010-06-10 16:41:26 EDT
I have the same problem but was not able to file the bug due to problem in name resolution. I am using selinux-policy-3.6.32-116.fc12.noarch. I have a file named Packages in /var/lib/rpm/, is that the one?
Comment 3 Daniel Walsh 2010-06-11 11:34:39 EDT
No.


 please attach the AVC messages from your audit log compressed.

ausearch -m avc ts today
Comment 4 C. M. Trindade 2010-06-13 06:23:40 EDT
It seems this problem only occurred with the previous kernel version. SELinux says "This alert has occurred 3 times since Wed Jun 9, 2010", but the fact is that I installed it on the 8th of June.
ausearch command gives me "ts is an unsupported option".

Summary:

SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt.

Detailed Description:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0
Target Context                system_u:object_r:abrt_etc_t:s0
Target Objects                /etc/abrt [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd (deleted)
Port                          <Unknown>
Host                          new-host.home
Source RPM Packages           
Target RPM Packages           abrt-1.0.9-2.fc12
Policy RPM                    selinux-policy-3.6.32-116.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     new-host.home
Platform                      Linux new-host.home 2.6.31.5-127.fc12.i686 #1 SMP
                              Sat Nov 7 21:41:45 EST 2009 i686 athlon
Alert Count                   3
First Seen                    Wed 09 Jun 2010 03:48:09 AM WEST
Last Seen                     Wed 09 Jun 2010 03:48:09 AM WEST
Local ID                      64a71bbd-67f7-4d31-a466-bcc9b1e0de64
Line Numbers                  

Raw Audit Messages            

node=new-host.home type=AVC msg=audit(1276051689.157:35018): avc:  denied  { write } for  pid=1181 comm="abrtd" name="abrt" dev=sda3 ino=23447 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=new-host.home type=AVC msg=audit(1276051689.157:35018): avc:  denied  { add_name } for  pid=1181 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir

node=new-host.home type=AVC msg=audit(1276051689.157:35018): avc:  denied  { create } for  pid=1181 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file

node=new-host.home type=SYSCALL msg=audit(1276051689.157:35018): arch=40000003 syscall=5 success=yes exit=9 a0=82d0b9 a1=8241 a2=1b6 a3=38fec9 items=0 ppid=1 pid=1181 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0 key=(null)
Comment 5 C. M. Trindade 2010-06-15 07:21:06 EDT
It is probable I have chaged the dates during the upgrade proccess because it was wrong. Since this problem did not occur again it was likely a problem in the previous kernel (in Fedora 12 by default). I suggest the bug be closed.
Comment 6 C. M. Trindade 2010-06-15 07:25:21 EDT
It is probable I have chaged the dates during the upgrade proccess because it was wrong. Since this problem did not occur again it was likely a problem in the previous kernel (in Fedora 12 by default). I suggest the bug be closed.

Note You need to log in before you can comment on or make changes to this bug.