Bug 679585 - SELinux is preventing /usr/bin/gdb from 'read' accesses on the file macros.imgcreate.
Summary: SELinux is preventing /usr/bin/gdb from 'read' accesses on the file macros.im...
Keywords:
Status: CLOSED DUPLICATE of bug 678134
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:c0abbd3c4f1...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-22 22:15 UTC by Flóki Pálsson
Modified: 2011-04-12 17:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-23 08:21:32 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Flóki Pálsson 2011-02-22 22:15:32 UTC 
SELinux is preventing /usr/bin/gdb from 'read' accesses on the file macros.imgcreate.

*****  Plugin file (36.8 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (36.8 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall_labels (23.2 confidence) suggests  ********************

If you want to allow gdb to have read access on the macros.imgcreate file
Then you need to change the label on macros.imgcreate
Do
# semanage fcontext -a -t FILE_TYPE 'macros.imgcreate'
where FILE_TYPE is one of the following: system_dbusd_var_lib_t, afs_cache_t, abrt_helper_exec_t, cgroup_t, policykit_auth_exec_t, selinux_config_t, bin_t, cert_t, lib_t, ld_so_t, usr_t, var_t, wtmp_t, xserver_exec_t, default_context_t, pam_console_exec_t, textrel_shlib_t, sssd_public_t, device_t, hwdata_t, locale_t, var_auth_t, dbusd_exec_t, etc_t, fonts_t, user_fonts_t, user_tmpfs_t, proc_t, rpm_script_tmp_t, sysfs_t, xdm_t, loadkeys_exec_t, xdm_dbusd_t, xdm_spool_t, krb5_keytab_t, fonts_cache_t, ssh_agent_exec_t, plymouthd_var_log_t, system_cronjob_var_lib_t, crack_db_t, ssh_home_t, policykit_var_lib_t, krb5_conf_t, user_tmp_t, xserver_tmpfs_t, iceauth_home_t, plymouth_exec_t, xauth_exec_t, xauth_home_t, alsa_etc_rw_t, auth_cache_t, sysctl_dev_t, sysctl_net_t, xdm_tmpfs_t, rpm_exec_t, security_t, udev_tbl_t, pulseaudio_exec_t, gconf_etc_t, mount_exec_t, shell_exec_t, consolekit_log_t, ld_so_cache_t, pam_exec_t, krb5_home_t, proc_afs_t, var_lib_t, oddjob_mkhomedir_exec_t, xserver_log_t, updpwd_exec_t, dbusd_etc_t, user_home_t, xdm_tmp_t, xserver_t, configfile, domain, userdomain, fusermount_exec_t, rpm_var_cache_t, faillog_t, lastlog_t, proc_net_t, var_log_t, chkpwd_exec_t, policykit_reload_t, xdm_etc_t, xdm_log_t, gnome_home_type, hostname_exec_t, samba_var_t, initrc_var_run_t, abrt_var_run_t, gkeyringd_exec_t, user_cron_spool_t, pam_var_run_t, rpm_var_lib_t, xdm_var_lib_t, xdm_var_run_t, net_conf_t, init_exec_t, anon_inodefs_t, gconf_home_t, etc_runtime_t, sysctl_kernel_t, sysctl_crypto_t, openct_var_run_t, pcscd_var_run_t, alsa_exec_t, xkb_var_lib_t, consoletype_exec_t, shutdown_exec_t, xdm_rw_etc_t, accountsd_var_lib_t, abrt_t, lib_t, xdm_exec_t, xdm_home_t, xdm_lock_t, pam_var_console_t, xsession_exec_t, shell_exec_t, krb5_host_rcache_t, cert_t, security_t, net_conf_t, file_context_t. 
Then execute: 
restorecon -v 'macros.imgcreate'


*****  Plugin catchall (5.04 confidence) suggests  ***************************

If you believe that gdb should be allowed read access on the macros.imgcreate file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:file_t:s0
Target Objects                macros.imgcreate [ file ]
Source                        gdb
Source Path                   /usr/bin/gdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdb-7.2.50.20110206-19.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.14-2.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38-0.rc5.git1.1.fc15.x86_64 #1 SMP
                              Thu Feb 17 01:49:02 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    þri 22.feb 2011, 20:46:23 GMT
Last Seen                     þri 22.feb 2011, 20:52:55 GMT
Local ID                      7cb2a31a-5ba5-4ce3-ab0f-a4d40ae9bffd

Raw Audit Messages
type=AVC msg=audit(1298407975.674:609): avc:  denied  { read } for  pid=1439 comm="gdb" name="macros.imgcreate" dev=sdb10 ino=63836 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file


type=SYSCALL msg=audit(1298407975.674:609): arch=x86_64 syscall=open success=no exit=EACCES a0=1b4b4d0 a1=0 a2=1b6 a3=7fec65b6b190 items=0 ppid=1438 pid=1439 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=gdb exe=/usr/bin/gdb subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gdb,xdm_t,file_t,file,read

audit2allow

#============= xdm_t ==============
allow xdm_t file_t:file read;

audit2allow -R

#============= xdm_t ==============
allow xdm_t file_t:file read;
Comment 1 Miroslav Grepl 2011-02-23 08:21:32 UTC 
You will need to run

# fixfiles restore

*** This bug has been marked as a duplicate of bug 678134 ***
Note You need to log in before you can comment on or make changes to this bug.