Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 593670 - abrtd doesn't start: selinux problem with /var/spool
abrtd doesn't start: selinux problem with /var/spool
Status: CLOSED DUPLICATE of bug 593906
Product: Fedora
Classification: Fedora
Component: abrt (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Jiri Moskovcak
Fedora Extras Quality Assurance
:
: 594731 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-19 09:18 EDT by Tom London
Modified: 2015-02-01 17:52 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-24 11:19:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2010-05-19 09:18:45 EDT
Description of problem:
After installing abrt-1.1.2-1.fc14.x86_64 and rebooting, abrtd fails to start:

May 18 21:58:56 tlondon abrtd: Can't create '/var/spool/abrt': Permission denied
May 18 21:58:56 tlondon kernel: type=1400 audit(1274245136.943:26635): avc:  denied  { write } for  pid=4919 comm="abrtd" name="spool" dev=dm-0 ino=5332994 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
May 18 21:58:56 tlondon kernel: type=1400 audit(1274245136.944:26636): avc:  denied  { write } for  pid=4919 comm="abrtd" name="spool" dev=dm-0 ino=5332994 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

And on the following reboot:

May 19 06:02:09 tlondon abrtd: Can't create '/var/spool/abrt': Permission denied

Putting system into permissive mode and running 'service abrtd start', I see:

May 19 06:15:45 tlondon kernel: type=1400 audit(1274274945.223:27089): avc:  denied  { write } for  pid=2413 comm="abrtd" name="spool" dev=dm-0 ino=5332994 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
May 19 06:15:45 tlondon kernel: type=1400 audit(1274274945.223:27090): avc:  denied  { add_name } for  pid=2413 comm="abrtd" name="abrt" scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
May 19 06:15:45 tlondon kernel: type=1400 audit(1274274945.240:27091): avc:  denied  { create } for  pid=2413 comm="abrtd" name="abrt" scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file

Looks like abrtd wants:
#============= abrt_t ==============
#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
# abrt_var_log_t, rpm_var_run_t, abrt_var_run_t, tmp_t, var_t, abrt_tmp_t, var_run_t, rpm_var_cache_t, abrt_var_cache_t, var_log_t, root_t

allow abrt_t var_spool_t:dir { write add_name };
allow abrt_t var_t:lnk_file create;


Version-Release number of selected component (if applicable):
abrt-1.1.2-1.fc14.x86_64

How reproducible:
Every time abrtd starts

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tom London 2010-05-19 09:20:27 EDT
Should have added selinux-policy version:

selinux-policy-3.7.19-17.fc13.noarch
Comment 2 Daniel Walsh 2010-05-19 13:39:38 EDT
Tom, it should have been relabeled.

restorecon -R -v /var/cache/abrt  Should fix.
Comment 3 Tom London 2010-05-19 14:29:51 EDT
Believe this version moved the files from /var/cache/abrt to /var/spool/abrt.
Comment 4 Jiri Moskovcak 2010-05-21 09:20:59 EDT
*** Bug 594731 has been marked as a duplicate of this bug. ***
Comment 5 Denys Vlasenko 2010-05-21 10:40:01 EDT
Please try this build:

http://koji.fedoraproject.org/koji/taskinfo?taskID=2201357
Comment 6 Denys Vlasenko 2010-05-24 11:19:55 EDT

*** This bug has been marked as a duplicate of bug 593906 ***

Note You need to log in before you can comment on or make changes to this bug.