596347 – pyhook: statvfs('/var/spool/abrt'): Permission denied

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 596347 - pyhook: statvfs('/var/spool/abrt'): Permission denied

Summary: pyhook: statvfs('/var/spool/abrt'): Permission denied

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-05-26 16:04 UTC by Michal Nowak
Modified:	2013-03-08 02:10 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.7.19-22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-07-02 20:53:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michal Nowak 2010-05-26 16:04:25 UTC

Description of problem:

Disabled BlackListedPaths in abrt.conf, modified /usr/share/doc/gamin-python-0.1.10/basic2.py to contain TypeError exception

#!/usr/bin/python
"11" + 11

and executed it:

newman@dhcp-lab-222 init-scripts-LSB $ /usr/share/doc/gamin-python-0.1.10/basic2.py 
Traceback (most recent call last):
  File "/usr/share/doc/gamin-python-0.1.10/basic2.py", line 2, in <module>
    "11" + 11
TypeError: cannot concatenate 'str' and 'int' objects


abrtd spited just following two lines:

python: abrt: detected unhandled Python exception in /usr/share/doc/gamin-python-0.1.10/basic2.py
abrt[24079]: statvfs('/var/spool/abrt'): Permission denied

and no crash is present in abrt-gui.

Version-Release number of selected component (if applicable):

abrt-1.1.4-1.el6.x86_64 (unofficial from jmoskovc's fedorapeople repo)
abrt-1.1.3-1.el6.x86_64 is the same.

How reproducible:

always

There's nothing in audit.log.

Comment 1 Karel Klíč 2010-05-26 16:26:25 UTC

Michal, can you please try it again with SELinux turned off? 
Does it still say 'Permission denied?'

Just to be sure SELinux doesn't forget to report the incident.

Comment 2 Jiri Moskovcak 2010-05-26 16:58:10 UTC

It works with selinux turned off.

Comment 3 Denys Vlasenko 2010-05-26 17:17:03 UTC

The strange part is that we do not seem to be getting any AVC denials!
We only see statfs() syscall (which is what glibc calls when one calls statvfs() function in C) fails with EPERM.

Comment 4 Denys Vlasenko 2010-05-26 17:22:21 UTC

Correction. It's EACCESS, not EPERM.

Here's the part of the strace log. The crashed python process was run under root:

# grep -e 'set[a-z]*uid(' -e EPERM -e EACCESS -e 'statv*fs' -e abrt-hook-python LOG 
8782  statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
8783  statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
8783  setfsuid(0)                       = 0
8783  setfsuid(0)                       = 0
8783  setfsuid(0)                       = 0
8783  setfsuid(0)                       = 0
8785  setuid(0)                         = 0
8785  statfs("/root/.xauthr0arLD-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=2519771, f_bfree=655765, f_bavail=527765, f_files=640848, f_ffree=409688, f_fsid={-430438761, 1438887161}, f_namelen=255, f_frsize=4096}) = 0
8783  setfsuid(0)                       = 0
8783  setfsuid(0)                       = 0
8786  setuid(0 <unfinished ...>
8786  statfs("/root/.xauthfOoY60-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=2519771, f_bfree=655740, f_bavail=527740, f_files=640848, f_ffree=409687, f_fsid={-430438761, 1438887161}, f_namelen=255, f_frsize=4096}) = 0
8787  setreuid(0, 0)                    = 0
8789  read(5, "4/python2.6/os.pyt\24\0\0\0_make_statvfs_result\335\2\0\0s\2\0\0\0\0\1c\1\0\0\0\3\0\0\0\2\0\0\0C\0\0\0s\34\0\0\0|\0\0i\0\0\203\0\0\\\2\0}\1\0}\2\0t\1\0|\2\0"..., 4096) = 1834
8790  execve("/usr/libexec/abrt-hook-python", ["/usr/libexec/abrt-hook-python", "--pid=8789", "--executable=/usr/share/system-config-display/xconf.py"], [/* 14 vars */]
8790  ("/var/spool/abrt", 0x7fff55516c00) = -1 EACCES (Permission denied)
8790  sendto(3, "<27>May 26 18:42:58 abrt[8790]: statvfs('/var/spool/abrt'): Permission denied", 77, MSG_NOSIGNAL, NULL, 0) = 77

Is it a problem of /usr/libexec/abrt-hook-python not having enough privileges?

Comment 5 Denys Vlasenko 2010-05-27 13:33:36 UTC

Last lines got messed up by copy/paste. Correct ones:

8790  execve("/usr/libexec/abrt-hook-python", ["/usr/libexec/abrt-hook-python", "--pid=8789", "--executable=/usr/share/system-config-display/xconf.py"], [/* 14 vars */] <unfinished ...>
8790  statfs("/var/spool/abrt", 0x7fff55516c00) = -1 EACCES (Permission denied)
8790  sendto(3, "<27>May 26 18:42:58 abrt[8790]: statvfs('/var/spool/abrt'): Permission denied", 77, MSG_NOSIGNAL, NULL, 0) = 77

Comment 6 Miroslav Grepl 2010-05-27 13:54:18 UTC

Dan,
we need to add

files_search_spool(abrt_helper_t)

Comment 8 Daniel Walsh 2010-05-27 14:00:59 UTC

Fixed in selinux-policy-3.7.19-22.fc13.noarch

Comment 12 releng-rhel@redhat.com 2010-07-02 20:53:51 UTC

Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.