SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source abrt-dump-oops Source Path abrt-dump-oops Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-34.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sun 17 Jul 2011 02:11:14 PM IRDT Last Seen Sun 17 Jul 2011 02:11:14 PM IRDT Local ID 8947d70f-9cd4-4e6f-831a-9df3c4cc9081 Raw Audit Messages type=AVC msg=audit(1310895674.679:11): avc: denied { syslog_read } for pid=1047 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read audit2allow #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read; audit2allow -R #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read;
Just tried to launch google-chrome-unstable-14.0.825.0-92801.x86_64
We are working on a policy for abrt-dump-oops in f16, we probably should back port to F15.
I am just testing this policy in f16 and looks good.
Got this when updating the system on a new install.
*** Bug 724825 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.9.16-36.fc15
selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15
Package selinux-policy-3.9.16-37.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15 then log in and leave karma (feedback).
It seems the problem still exists after applying the update and restarting my machine.
What AVC are you getting?
SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source abrt-dump-oops Source Path /usr/bin/abrt-dump-oops Port <Unknown> Host Masood-laptop.Corpsedomain Source RPM Packages abrt-addon-kerneloops-2.0.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-37.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Masood-laptop.Corpsedomain Platform Linux Masood-laptop.Corpsedomain 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sun 07 Aug 2011 11:41:53 PM IRDT Last Seen Mon 08 Aug 2011 12:05:38 PM IRDT Local ID dd7de24b-a90f-4268-b17f-4d3a879b4964 Raw Audit Messages type=AVC msg=audit(1312788938.457:8): avc: denied { syslog_read } for pid=1006 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1312788938.457:8): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=2182090 a2=3fff a3=0 items=0 ppid=1 pid=1006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null) Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read audit2allow #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read; audit2allow -R #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read;
Could you try to execute # yum reinstall selinux-policy-targeted --enablerepo=updates-testing and make sure nothinh blows up.
Still present, 3.9.16-37 installed.
(In reply to comment #12) > Could you try to execute > > # yum reinstall selinux-policy-targeted --enablerepo=updates-testing > > and make sure nothinh blows up. I executed this, but the problem still occurs!
Package selinux-policy-3.9.16-38.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15 then log in and leave karma (feedback).
The new package produces the bug after a restarting! You van see the AVC below. Notice that policy Policy RPM is selinux-policy-3.9.16-38.fc15 SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source abrt-dump-oops Source Path /usr/bin/abrt-dump-oops Port <Unknown> Host Masood-laptop.Corpsedomain Source RPM Packages abrt-addon-kerneloops-2.0.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Masood-laptop.Corpsedomain Platform Linux Masood-laptop.Corpsedomain 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 18 First Seen Sun 07 Aug 2011 11:41:53 PM IRDT Last Seen Sat 13 Aug 2011 01:24:58 PM IRDT Local ID dd7de24b-a90f-4268-b17f-4d3a879b4964 Raw Audit Messages type=AVC msg=audit(1313225698.372:10): avc: denied { syslog_read } for pid=1042 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1313225698.372:10): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=bf4090 a2=3fff a3=0 items=0 ppid=1 pid=1042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null) Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read audit2allow #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read; audit2allow -R #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read;
Does restorecon -v /usr/bin/abrt-dump-oops Change the label of the program?
# ls -Z /usr/bin/abrt-dump-oops -rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops # restorecon -v /usr/bin/abrt-dump-oops # ls -Z /usr/bin/abrt-dump-oops -rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops
Ok it looks like the back port did not happen. Miroslav can you recheck this.
My bug is fixed, I don't remember what I did to take care of it. Thanks for the help. Is there a way to delete this bug report so I no longer see it here?
Definetely my fault. I did not change the label # chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops will fix.
chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument
Bug finder is right. My system says it too: chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument
But it fixed after executing these commands: # chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops # grep chcon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp # chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops but now a new SElinux alert appears here! I'm a little confused :p
Typo, should be chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops
Updating to selinux-policy-3.9.16-38.fc15 is not enought - chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops solves the problem.
Yes,it will fix in selinux-policy-3.9.16-39.fc15
it's helpfull thanks in advance
I got this error while updating my system after a fresh install from LiveUSB.
Yes, a new package will be available as an update soon. For now, you can fix it using chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops
selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Not fixed in selinux-policy-3.9.16-38.fc15
What is not fixed? What does matchpathcon /usr/bin/abrt-dump-oops say?
Having same issue, selinux-policy-3.9.16-38.fc15 # matchpathcon /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops system_u:object_r:abrt_helper_exec_t:s0
How I wrote this is fixed in selinux-policy-3.9.16-39.fc15. # yum update selinux-policy --enablerepo=updates-testing
3.9.16-39 is not yet in updates-testing.
If so, you can use the build from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=262145
appears fixed with 3.9.16-39.fc15
I'm still getting the error with selinux-policy-3.9.16-39.fc15 SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_helper_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source abrt-dump-oops Source Path /usr/bin/abrt-dump-oops Port <Unknown> Host fedora15kde13 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora15kde13 Platform Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 70 First Seen Mon 18 Jul 2011 11:33:27 AM EDT Last Seen Tue 13 Sep 2011 06:48:16 PM EDT Local ID c62ad7b2-afd1-433c-90bd-8abfee80a956 Raw Audit Messages type=AVC msg=audit(1315954096.657:13): avc: denied { syslog_read } for pid=1197 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read audit2allow #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read; audit2allow -R #============= abrt_helper_t ============== allow abrt_helper_t kernel_t:system syslog_read; Using the work around, I get the error: [root@fedora15kde13 GoinEasy9]# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp [root@fedora15kde13 GoinEasy9]# semodule -i mypol.pp libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory). semodule: Failed!
restorecon -R -v /usr/bin/abrt-dump-oops will fix it.
Fixed in selinux-policy-3.9.16-39.fc15 (now pushed to stable) Test running fine, closing.