Bug 599648 - O SELinux está impedindo o acesso a /usr/sbin/abrtd "remove_name" on ccpp-1275570766-2137.lock
O SELinux está impedindo o acesso a /usr/sbin/abrtd "remove_name" on ccp...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:558106ccf9f...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-03 13:08 EDT by gelo
Modified: 2010-09-23 13:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-03 16:39:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description gelo 2010-06-03 13:08:20 EDT
Sumário:

O SELinux está impedindo o acesso a /usr/sbin/abrtd "remove_name" on
ccpp-1275570766-2137.lock

Descrição detalhada:

[SElinux está em modo permissivo. Esse acesso não foi negado.]

O SELinux impediu o acesso requisitado pelo abrtd. Não é comum que este acesso
seja requisitado pelo abrtd e isto pode indicar uma tentativa de intrusão.
Também é possível que a versão ou configuração específicas do aplicativo
estejam fazendo com que o mesmo requisite o acesso adicio

Permitindo acesso:

Você pode gerar um módulo de política local para permitir este acesso - veja
o FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Por favor,
registre um relatório de erro.

Informações adicionais:

Contexto de origem            system_u:system_r:abrt_t:s0
Contexto de destino           system_u:object_r:var_spool_t:s0
Objetos de destino            ccpp-1275570766-2137.lock [ dir ]
Origem                        abrtd
Caminho da origem             /usr/sbin/abrtd
Porta                         <Desconhecido>
Máquina                      (removido)
Pacotes RPM de origem         abrt-1.1.4-1.fc14
Pacotes RPM de destino        
RPM da política              selinux-policy-3.8.1-4.fc14
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Permissive
Nome do plugin                catchall
Nome da máquina              (removido)
Plataforma                    Linux (removido) 2.6.32.11-99.fc12.x86_64 #1 SMP Mon
                              Apr 5 19:59:38 UTC 2010 x86_64 x86_64
Contador de alertas           12
Visto pela primeira vez em    Qui 03 Jun 2010 10:16:10 BRT
Visto pela última vez em     Qui 03 Jun 2010 10:28:21 BRT
ID local                      69c60872-5182-4d3e-b240-83b6dd6e4f23
Números de linha             

Mensagens de auditoria não p 

node=(removido) type=AVC msg=audit(1275571701.332:44): avc:  denied  { remove_name } for  pid=1781 comm="abrtd" name="ccpp-1275570766-2137.lock" dev=sda2 ino=161605 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

node=(removido) type=AVC msg=audit(1275571701.332:44): avc:  denied  { unlink } for  pid=1781 comm="abrtd" name="ccpp-1275570766-2137.lock" dev=sda2 ino=161605 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file

node=(removido) type=SYSCALL msg=audit(1275571701.332:44): arch=c000003e syscall=87 success=yes exit=0 a0=1860748 a1=7f23c4e3d7c7 a2=1860730 a3=2d36363730373535 items=0 ppid=1 pid=1781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0 key=(null)



Hash String generated from  catchall,abrtd,abrt_t,var_spool_t,dir,remove_name
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t var_spool_t:dir remove_name;
allow abrt_t var_spool_t:lnk_file unlink;
Comment 1 Daniel Walsh 2010-06-03 16:39:10 EDT
restorecon -R -v /var/spool
Comment 2 Garrett Mitchener 2010-09-17 08:55:10 EDT
Can we re-open this?  I just removed abrt, reinstalled it, and I'm already getting message that it doesn't have permission to change /var/spool/abrt etc.

From /var/log/messages:

Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd 
"read" access on /var/spool/abrt. For complete SELinux messages. run sealert -l 
93c54708-1555-4664-ad9c-fa8993491929
Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd 
"unlink" access on abrt.socket. For complete SELinux messages. run sealert -l dd
0ffb70-19ba-47a8-b760-d149e313a171

...

[root@grograman]# sealert -l 93c54708-1555-4664-ad9c-fa8993491929

Summary:

SELinux is preventing /usr/sbin/abrtd "read" access on /var/spool/abrt.

Detailed Description:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:abrt_t:SystemLow-SystemHigh
Target Context                system_u:object_r:var_spool_t:SystemLow
Target Objects                /var/spool/abrt [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd
Port                          <Unknown>
Host                          grograman
Source RPM Packages           abrt-1.1.13-2.fc13
Target RPM Packages           abrt-1.1.13-2.fc13
Policy RPM                    selinux-policy-3.7.19-54.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     grograman
Platform                      Linux grograman 2.6.34.6-54.fc13.x86_64 #1 SMP Sun
                              Sep 5 17:16:27 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Fri Sep 17 08:48:11 2010
Last Seen                     Fri Sep 17 08:48:33 2010
Local ID                      93c54708-1555-4664-ad9c-fa8993491929
Line Numbers                  

Raw Audit Messages            

node=grograman type=AVC msg=audit(1284727713.749:51399): avc:  denied  { read } for  pid=25998 comm="abrtd" name="abrt" dev=dm-1 ino=20972161 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

node=grograman type=SYSCALL msg=audit(1284727713.749:51399): arch=c000003e syscall=2 success=yes exit=12 a0=7fffc33769d0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=25998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)


I've tried restorecon, and it makes no changes.  This is what I see:

[root@grograman]# ls -lZ /var/spool/
drwxr-xr-x. abrt   abrt   system_u:object_r:var_spool_t:SystemLow abrt
drwx------. abrt   abrt   system_u:object_r:var_spool_t:SystemLow abrt-upload
...

Somewhere some security context is wrong and I can't figure out how to fix it...
Comment 3 Daniel Walsh 2010-09-17 09:39:06 EDT
Could you execute

yum reinstall selinux-policy-targeted 

And tell me if it works correctly.

Then execute 

restorecon -R -v /var/spool

You should see something like

 matchpathcon /var/spool/abrt
/var/spool/abrt	system_u:object_r:abrt_var_cache_t:s0
Comment 4 Garrett Mitchener 2010-09-17 11:06:40 EDT
Can we re-open this?  I just removed abrt, reinstalled it, and I'm already getting message that it doesn't have permission to change /var/spool/abrt etc.

From /var/log/messages:

Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd 
"read" access on /var/spool/abrt. For complete SELinux messages. run sealert -l 
93c54708-1555-4664-ad9c-fa8993491929
Sep 17 08:48:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/abrtd 
"unlink" access on abrt.socket. For complete SELinux messages. run sealert -l dd
0ffb70-19ba-47a8-b760-d149e313a171

...

[root@grograman]# sealert -l 93c54708-1555-4664-ad9c-fa8993491929

Summary:

SELinux is preventing /usr/sbin/abrtd "read" access on /var/spool/abrt.

Detailed Description:

[abrtd has a permissive type (abrt_t). This access was not denied.]

SELinux denied access requested by abrtd. It is not expected that this access is
required by abrtd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:abrt_t:SystemLow-SystemHigh
Target Context                system_u:object_r:var_spool_t:SystemLow
Target Objects                /var/spool/abrt [ dir ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd
Port                          <Unknown>
Host                          grograman
Source RPM Packages           abrt-1.1.13-2.fc13
Target RPM Packages           abrt-1.1.13-2.fc13
Policy RPM                    selinux-policy-3.7.19-54.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     grograman
Platform                      Linux grograman 2.6.34.6-54.fc13.x86_64 #1 SMP Sun
                              Sep 5 17:16:27 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Fri Sep 17 08:48:11 2010
Last Seen                     Fri Sep 17 08:48:33 2010
Local ID                      93c54708-1555-4664-ad9c-fa8993491929
Line Numbers                  

Raw Audit Messages            

node=grograman type=AVC msg=audit(1284727713.749:51399): avc:  denied  { read } for  pid=25998 comm="abrtd" name="abrt" dev=dm-1 ino=20972161 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

node=grograman type=SYSCALL msg=audit(1284727713.749:51399): arch=c000003e syscall=2 success=yes exit=12 a0=7fffc33769d0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=25998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="abrtd" exe="/usr/sbin/abrtd" subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)


I've tried restorecon, and it makes no changes.  This is what I see:

[root@grograman]# ls -lZ /var/spool/
drwxr-xr-x. abrt   abrt   system_u:object_r:var_spool_t:SystemLow abrt
drwx------. abrt   abrt   system_u:object_r:var_spool_t:SystemLow abrt-upload
...

Somewhere some security context is wrong and I can't figure out how to fix it...
Comment 5 Daniel Walsh 2010-09-17 12:06:33 EDT
Did you do what I asked?

https://bugzilla.redhat.com/show_bug.cgi?id=599648#c3
Comment 6 Garrett Mitchener 2010-09-20 12:15:25 EDT
If I reinstall the policy, I get this error message:

[root@grograman]# yum reinstall selinux-policy-targeted
Loaded plugins: fastestmirror, presto, priorities, protectbase, refresh-
              : packagekit, versionlock
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * fedora: hpc.arc.georgetown.edu
 * fedora-32: hpc.arc.georgetown.edu
 * fedora-32-updates: hpc.arc.georgetown.edu
 * rpmfusion-free: mirror.liberty.edu
 * rpmfusion-free-updates: mirror.liberty.edu
 * rpmfusion-nonfree: mirror.liberty.edu
 * rpmfusion-nonfree-updates: mirror.liberty.edu
 * updates: hpc.arc.georgetown.edu
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.7.19-54.fc13 set to be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                   Arch     Version           Repository           Size
================================================================================
Reinstalling:
 selinux-policy-targeted   noarch   3.7.19-54.fc13    fedora-32-updates   2.3 M

Transaction Summary
================================================================================
Reinstall     1 Package(s)

Total download size: 2.3 M
Installed size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 2.3 M
selinux-policy-targeted-3.7.19-54.fc13.noarch.rpm        | 2.3 MB     00:02     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : selinux-policy-targeted-3.7.19-54.fc13.noarch            1/1 
libsepol.expand_terule_helper: duplicate TE rule for init_t httpd_exec_t:process httpd_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

Installed:
  selinux-policy-targeted.noarch 0:3.7.19-54.fc13                               

Complete!

Then the restorecon command seems to do nothing, and /var/spool is like it was before.
Comment 7 Garrett Mitchener 2010-09-20 12:24:03 EDT
These might be related: Bug #570912, Bug #579553

But I don't have any of these 389 packages installed, and that policy bug was supposedly patched several versions ago...?
Comment 8 Daniel Walsh 2010-09-22 12:19:41 EDT
Do you have that ldap package installed?
Comment 9 Garrett Mitchener 2010-09-22 13:34:27 EDT
[root@grograman]# rpm -qa | grep -i ldap
apr-util-ldap-1.3.9-3.fc13.x86_64
openldap-2.4.21-10.fc13.i686
openldap-devel-2.4.21-10.fc13.x86_64
nss_ldap-264-10.fc13.x86_64
python-ldap-2.3.10-1.fc13.x86_64
openldap-2.4.21-10.fc13.x86_64
Comment 10 Garrett Mitchener 2010-09-22 13:47:09 EDT
I don't know if this makes a difference, but there are a lot of files in my /etc/selinux that don't belong to any rpm package according to rpm -qf. Most of them are files like this:

/etc/selinux/targeted/modules/active/modules/apache.pp


[root@grograman]# ls -l /etc/selinux/targeted/modules/active/modules/apache.pp
-rw-------. 1 root root 24048 Jul 22 21:43 /etc/selinux/targeted/modules/active/modules/apache.pp

and I don't know if these are used by the selinux system and just not registered with rpm, or if I should get rid of them because they duplicate something...?
Comment 11 Daniel Walsh 2010-09-22 16:14:02 EDT
semodule -l 

To list all packages.  Something is screwed up on your system.

You can do the following to fix it up.


# setenforce 0
# rm -rf /etc/selinux/targeted/modules
# yum reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux
# setenforce 1
Comment 12 Garrett Mitchener 2010-09-23 13:11:01 EDT
Okay, I tried the sequence of commands you listed in comment #11.  That seems to have fixed the problem.  I then ran restorecon on the whole file system, and it made many changes, including to /var/spool/abrtd*.  Something must have gone wrong before now that kept the policy package from getting updated properly.  I've been running all day with no security complaints.

Thank you very much!

Note You need to log in before you can comment on or make changes to this bug.