Summary: SELinux is preventing /usr/sbin/abrtd "write" access on /var/spool. Detailed Description: SELinux denied access requested by abrtd. It is not expected that this access is required by abrtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_spool_t:s0 Target Objects /var/spool [ dir ] Source abrtd Source Path /usr/sbin/abrtd Port <Unknown> Host (removed) Source RPM Packages abrt-1.1.2-1.fc14 Target RPM Packages filesystem-2.4.35-1.fc14 Policy RPM selinux-policy-3.7.19-15.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.34-2.fc14.x86_64 #1 SMP Mon May 17 03:51:48 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 19 May 2010 07:28:18 PM PDT Last Seen Wed 19 May 2010 07:28:18 PM PDT Local ID 2d0d5755-83c5-44a9-bf0a-e8974ea9925d Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274322498.415:688): avc: denied { write } for pid=17833 comm="abrtd" name="spool" dev=dm-0 ino=1566 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1274322498.415:688): arch=c000003e syscall=83 success=no exit=-13 a0=41e791 a1=1ed a2=d a3=7fffa222a3c0 items=0 ppid=17832 pid=17833 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,abrtd,abrt_t,var_spool_t,dir,write audit2allow suggests: #============= abrt_t ============== #!!!! The source type 'abrt_t' can write to a 'dir' of the following types: # tmp_t, var_t, sosreport_tmp_t, abrt_tmp_t, var_run_t, rpm_var_cache_t, abrt_var_cache_t, var_log_t, abrt_var_log_t, rpm_var_run_t, abrt_var_run_t, root_t allow abrt_t var_spool_t:dir write;
I have the latest selinux-policy from koji. http://koji.fedoraproject.org/koji/buildinfo?buildID=174238 $ rpm -qa selinux-policy\* selinux-policy-3.7.19-19.fc13.noarch selinux-policy-targeted-3.7.19-19.fc13.noarch Summary: SELinux is preventing /usr/sbin/abrtd "write" access on /var/spool. --snip-- Source Context unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_spool_t:s0 Target Objects /var/spool [ dir ] Source abrtd Source Path /usr/sbin/abrtd Port <Unknown> Host ####### Source RPM Packages abrt-1.1.2-1.fc14 Target RPM Packages filesystem-2.4.35-1.fc14 Policy RPM selinux-policy-3.7.19-19.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name ###### Platform Linux ##### 2.6.34-2.fc14.x86_64 #1 SMP Mon May 17 03:51:48 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Thu 20 May 2010 11:41:24 IST Last Seen Thu 20 May 2010 11:59:03 IST Local ID fd7364ef-21be-4027-9ff3-26c402c0eb64 Line Numbers Raw Audit Messages node=##### type=AVC msg=audit(1274353143.940:26429): avc: denied { write } for pid=2634 comm="abrtd" name="spool" dev=dm-6 ino=41025 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir node=##### type=SYSCALL msg=audit(1274353143.940:26429): arch=c000003e syscall=83 success=no exit=-13 a0=41e791 a1=1ed a2=d a3=0 items=0 ppid=2633 pid=2634 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
/var/spool/abrt should be in the payload with the abrtd package.
*** Bug 594017 has been marked as a duplicate of this bug. ***
(In reply to comment #2) > /var/spool/abrt should be in the payload with the abrtd package. the dir is there, with some kerneloops sub-dirs in my case.
Users who are getting this problem just need to execute # mkdir /var/spool/abrt # restorecon -R -v /var/spool/abrt And the AVC will stop happening Frank you should be able to run the restorecon command above.
(In reply to comment #5) > Users who are getting this problem just need to execute > > # mkdir /var/spool/abrt > # restorecon -R -v /var/spool/abrt > > And the AVC will stop happening > > > Frank you should be able to run the restorecon command above. Thanks Dan.
Thank you Dan, is it correct that this isn't really a bug? I didn't think it important, but that it was something that could be changed, at some point, in the "out of the box" setup. Kurt Whoops! I just saw that you marked it as "NOTABUG".
*** Bug 593973 has been marked as a duplicate of this bug. ***
Well it is a bug in abrt that the directory was not in the payload. I am also modifying policy to make the correct thing happen if the directory does not exist.
Thanks again Dan.
*** Bug 594448 has been marked as a duplicate of this bug. ***
Let's keep it open for now, there will be more reports about this which I want to mark as dups
*** Bug 594022 has been marked as a duplicate of this bug. ***
Please don't close this bug.
*** Bug 593670 has been marked as a duplicate of this bug. ***
Please try this build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2201357
*** Bug 595036 has been marked as a duplicate of this bug. ***
(In reply to comment #16) > Please try this build: > > http://koji.fedoraproject.org/koji/taskinfo?taskID=2201357 Worksforme
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
abrt-2.0.0-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/abrt-2.0.0-1.fc15
abrt-2.0.0-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/abrt-2.0.0-2.fc15
Package abrt-2.0.0-2.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing abrt-2.0.0-2.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/abrt-2.0.0-2.fc15 then log in and leave karma (feedback).
abrt-2.0.0-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/abrt-2.0.0-3.fc15
abrt-2.0.0-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/abrt-2.0.0-4.fc15
abrt-2.0.0-5.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/abrt-2.0.0-5.fc15
abrt-2.0.1-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/abrt-2.0.1-1.fc15
abrt-2.0.1-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/abrt-2.0.1-2.fc15
abrt-2.0.1-2.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.