Summary: SELinux is preventing gdb "read" access on /usr/lib64/httpd/modules/mod_authz_groupfile.so. Detailed Description: SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:httpd_modules_t:s0 Target Objects /usr/lib64/httpd/modules/mod_authz_groupfile.so [ file ] Source eu-unstrip Source Path /usr/bin/eu-unstrip Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages httpd-2.2.15-1.fc13 Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 223 First Seen Fri 30 Jul 2010 02:43:52 PM CDT Last Seen Fri 30 Jul 2010 02:54:18 PM CDT Local ID ffd39497-c1ce-4cd0-9777-9a4badd9e204 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1280519658.107:46317): avc: denied { read } for pid=7129 comm="gdb" name="mod_authz_groupfile.so" dev=sda2 ino=656090 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file Hash String generated from catchall,eu-unstrip,abrt_t,httpd_modules_t,file,read audit2allow suggests: #============= abrt_t ============== allow abrt_t httpd_modules_t:file read;
I was trying to generate a bug report on ABRT against httpd. The automated install of debuginfo packages failed, and ABRT instructed me to manually install the debuginfo packages and then refresh the backtrace. I did so, but when I refreshed the backtrace, the AVC denial came up, and the ABRT dialog box still indicated that debuginfo packages were not properly installed.
We should allow this.
Fixed in selinux-policy-3.7.19-43.fc13.noarch.
selinux-policy-3.7.19-44.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-44.fc13
selinux-policy-3.7.19-44.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-44.fc13
selinux-policy-3.7.19-44.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.