Red Hat Bugzilla – Bug 596347
pyhook: statvfs('/var/spool/abrt'): Permission denied
Last modified: 2013-03-07 21:10:15 EST
Description of problem: Disabled BlackListedPaths in abrt.conf, modified /usr/share/doc/gamin-python-0.1.10/basic2.py to contain TypeError exception #!/usr/bin/python "11" + 11 and executed it: newman@dhcp-lab-222 init-scripts-LSB $ /usr/share/doc/gamin-python-0.1.10/basic2.py Traceback (most recent call last): File "/usr/share/doc/gamin-python-0.1.10/basic2.py", line 2, in <module> "11" + 11 TypeError: cannot concatenate 'str' and 'int' objects abrtd spited just following two lines: python: abrt: detected unhandled Python exception in /usr/share/doc/gamin-python-0.1.10/basic2.py abrt[24079]: statvfs('/var/spool/abrt'): Permission denied and no crash is present in abrt-gui. Version-Release number of selected component (if applicable): abrt-1.1.4-1.el6.x86_64 (unofficial from jmoskovc's fedorapeople repo) abrt-1.1.3-1.el6.x86_64 is the same. How reproducible: always There's nothing in audit.log.
Michal, can you please try it again with SELinux turned off? Does it still say 'Permission denied?' Just to be sure SELinux doesn't forget to report the incident.
It works with selinux turned off.
The strange part is that we do not seem to be getting any AVC denials! We only see statfs() syscall (which is what glibc calls when one calls statvfs() function in C) fails with EPERM.
Correction. It's EACCESS, not EPERM. Here's the part of the strace log. The crashed python process was run under root: # grep -e 'set[a-z]*uid(' -e EPERM -e EACCESS -e 'statv*fs' -e abrt-hook-python LOG 8782 statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 8783 statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8785 setuid(0) = 0 8785 statfs("/root/.xauthr0arLD-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=2519771, f_bfree=655765, f_bavail=527765, f_files=640848, f_ffree=409688, f_fsid={-430438761, 1438887161}, f_namelen=255, f_frsize=4096}) = 0 8783 setfsuid(0) = 0 8783 setfsuid(0) = 0 8786 setuid(0 <unfinished ...> 8786 statfs("/root/.xauthfOoY60-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=2519771, f_bfree=655740, f_bavail=527740, f_files=640848, f_ffree=409687, f_fsid={-430438761, 1438887161}, f_namelen=255, f_frsize=4096}) = 0 8787 setreuid(0, 0) = 0 8789 read(5, "4/python2.6/os.pyt\24\0\0\0_make_statvfs_result\335\2\0\0s\2\0\0\0\0\1c\1\0\0\0\3\0\0\0\2\0\0\0C\0\0\0s\34\0\0\0|\0\0i\0\0\203\0\0\\\2\0}\1\0}\2\0t\1\0|\2\0"..., 4096) = 1834 8790 execve("/usr/libexec/abrt-hook-python", ["/usr/libexec/abrt-hook-python", "--pid=8789", "--executable=/usr/share/system-config-display/xconf.py"], [/* 14 vars */] 8790 ("/var/spool/abrt", 0x7fff55516c00) = -1 EACCES (Permission denied) 8790 sendto(3, "<27>May 26 18:42:58 abrt[8790]: statvfs('/var/spool/abrt'): Permission denied", 77, MSG_NOSIGNAL, NULL, 0) = 77 Is it a problem of /usr/libexec/abrt-hook-python not having enough privileges?
Last lines got messed up by copy/paste. Correct ones: 8790 execve("/usr/libexec/abrt-hook-python", ["/usr/libexec/abrt-hook-python", "--pid=8789", "--executable=/usr/share/system-config-display/xconf.py"], [/* 14 vars */] <unfinished ...> 8790 statfs("/var/spool/abrt", 0x7fff55516c00) = -1 EACCES (Permission denied) 8790 sendto(3, "<27>May 26 18:42:58 abrt[8790]: statvfs('/var/spool/abrt'): Permission denied", 77, MSG_NOSIGNAL, NULL, 0) = 77
Dan, we need to add files_search_spool(abrt_helper_t)
Fixed in selinux-policy-3.7.19-22.fc13.noarch
Red Hat Enterprise Linux Beta 2 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.