概述: SELinux is preventing /usr/sbin/abrtd "read" access on Packages. 详细描述: [abrtd has a permissive type (abrt_t). This access was not denied.] SELinux denied access requested by abrtd. It is not expected that this access is required by abrtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 允许访问: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. 附加信息: 源上下文 system_u:system_r:abrt_t:s0 目标上下文 system_u:object_r:var_t:s0 目标对象 Packages [ file ] 源 abrtd 源路径 /usr/sbin/abrtd 端口 <未知> 主机 (removed) 源 RPM 软件包 目标 RPM 软件包 策略 RPM <未知> 启用 Selinux True 策略类型 targeted 启用 MLS True Enforcing 模式 Enforcing 插件名称 catchall 主机名 (removed) 平台 Linux (removed) 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 athlon 警报计数 2 第一个 2010年05月14日 星期五 14时22分33秒 最后一个 2010年05月14日 星期五 14时22分33秒 本地 ID be3ecd5e-4651-4f9c-b115-56242db2044b 行号 原始核查信息 node=(removed) type=AVC msg=audit(1273861353.344:19910): avc: denied { read } for pid=1104 comm="abrtd" name="Packages" dev=sda9 ino=16 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file node=(removed) type=AVC msg=audit(1273861353.344:19910): avc: denied { open } for pid=1104 comm="abrtd" name="Packages" dev=sda9 ino=16 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1273861353.344:19910): arch=40000003 syscall=5 success=yes exit=9 a0=8ae8330 a1=8000 a2=0 a3=1 items=0 ppid=1 pid=1104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0 key=(null) Hash String generated from None,catchall,abrtd,abrt_t,var_t,file,read audit2allow suggests: #============= abrt_t ============== allow abrt_t var_t:file { read open };
Any idea where the file Packages is located? What version of selinux-policy do you have installed? rpm -q selinux-policy
I have the same problem but was not able to file the bug due to problem in name resolution. I am using selinux-policy-3.6.32-116.fc12.noarch. I have a file named Packages in /var/lib/rpm/, is that the one?
No. please attach the AVC messages from your audit log compressed. ausearch -m avc ts today
It seems this problem only occurred with the previous kernel version. SELinux says "This alert has occurred 3 times since Wed Jun 9, 2010", but the fact is that I installed it on the 8th of June. ausearch command gives me "ts is an unsupported option". Summary: SELinux is preventing /usr/sbin/abrtd (deleted) "write" access on /etc/abrt. Detailed Description: [abrtd has a permissive type (abrt_t). This access was not denied.] SELinux denied access requested by abrtd. It is not expected that this access is required by abrtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:abrt_t:s0 Target Context system_u:object_r:abrt_etc_t:s0 Target Objects /etc/abrt [ dir ] Source abrtd Source Path /usr/sbin/abrtd (deleted) Port <Unknown> Host new-host.home Source RPM Packages Target RPM Packages abrt-1.0.9-2.fc12 Policy RPM selinux-policy-3.6.32-116.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name new-host.home Platform Linux new-host.home 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 athlon Alert Count 3 First Seen Wed 09 Jun 2010 03:48:09 AM WEST Last Seen Wed 09 Jun 2010 03:48:09 AM WEST Local ID 64a71bbd-67f7-4d31-a466-bcc9b1e0de64 Line Numbers Raw Audit Messages node=new-host.home type=AVC msg=audit(1276051689.157:35018): avc: denied { write } for pid=1181 comm="abrtd" name="abrt" dev=sda3 ino=23447 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir node=new-host.home type=AVC msg=audit(1276051689.157:35018): avc: denied { add_name } for pid=1181 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=dir node=new-host.home type=AVC msg=audit(1276051689.157:35018): avc: denied { create } for pid=1181 comm="abrtd" name="pyhook.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:abrt_etc_t:s0 tclass=file node=new-host.home type=SYSCALL msg=audit(1276051689.157:35018): arch=40000003 syscall=5 success=yes exit=9 a0=82d0b9 a1=8241 a2=1b6 a3=38fec9 items=0 ppid=1 pid=1181 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe=2F7573722F7362696E2F6162727464202864656C6574656429 subj=system_u:system_r:abrt_t:s0 key=(null)
It is probable I have chaged the dates during the upgrade proccess because it was wrong. Since this problem did not occur again it was likely a problem in the previous kernel (in Fedora 12 by default). I suggest the bug be closed.