Bug 722747 - SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown.
Summary: SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the syste...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:72a25e0199e...
: 724825 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-17 09:49 UTC by MM Masaeli
Modified: 2016-05-11 18:21 UTC (History)
159 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-08 20:57:39 UTC


Attachments (Terms of Use)

Description MM Masaeli 2011-07-17 09:49:36 UTC
SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   abrt-dump-oops
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-34.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 17 Jul 2011 02:11:14 PM IRDT
Last Seen                     Sun 17 Jul 2011 02:11:14 PM IRDT
Local ID                      8947d70f-9cd4-4e6f-831a-9df3c4cc9081

Raw Audit Messages
type=AVC msg=audit(1310895674.679:11): avc:  denied  { syslog_read } for  pid=1047 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 1 Frederick Grose 2011-07-19 00:34:38 UTC
Just tried to launch google-chrome-unstable-14.0.825.0-92801.x86_64

Comment 2 Daniel Walsh 2011-07-19 12:22:20 UTC
We are working on a policy for abrt-dump-oops in f16, we probably should back port to F15.

Comment 3 Miroslav Grepl 2011-07-19 13:52:16 UTC
I am just testing this policy in f16 and looks good.

Comment 4 John Armitage 2011-07-21 19:35:25 UTC
Got this when updating the system on a new install.

Comment 5 Daniel Walsh 2011-07-22 20:19:09 UTC
*** Bug 724825 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2011-07-27 11:16:21 UTC
Fixed in selinux-policy-3.9.16-36.fc15

Comment 7 Fedora Update System 2011-08-05 13:59:53 UTC
selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15

Comment 8 Fedora Update System 2011-08-05 23:56:02 UTC
Package selinux-policy-3.9.16-37.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15
then log in and leave karma (feedback).

Comment 9 Heiko Adams 2011-08-06 09:40:24 UTC
It seems the problem still exists after applying the update and restarting my machine.

Comment 10 Miroslav Grepl 2011-08-08 06:07:37 UTC
What AVC are you getting?

Comment 11 MM Masaeli 2011-08-08 07:44:18 UTC
SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          Masood-laptop.Corpsedomain
Source RPM Packages           abrt-addon-kerneloops-2.0.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-37.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Masood-laptop.Corpsedomain
Platform                      Linux Masood-laptop.Corpsedomain
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sun 07 Aug 2011 11:41:53 PM IRDT
Last Seen                     Mon 08 Aug 2011 12:05:38 PM IRDT
Local ID                      dd7de24b-a90f-4268-b17f-4d3a879b4964

Raw Audit Messages
type=AVC msg=audit(1312788938.457:8): avc:  denied  { syslog_read } for  pid=1006 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1312788938.457:8): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=2182090 a2=3fff a3=0 items=0 ppid=1 pid=1006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)

Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 12 Miroslav Grepl 2011-08-08 12:40:54 UTC
Could you try to execute 

# yum reinstall selinux-policy-targeted --enablerepo=updates-testing

and make sure nothinh blows up.

Comment 13 Richard Marko 2011-08-08 15:07:36 UTC
Still present, 3.9.16-37 installed.

Comment 14 MM Masaeli 2011-08-08 18:13:24 UTC
(In reply to comment #12)
> Could you try to execute 
> 
> # yum reinstall selinux-policy-targeted --enablerepo=updates-testing
> 
> and make sure nothinh blows up.

I executed this, but the problem still occurs!

Comment 15 Fedora Update System 2011-08-12 18:20:04 UTC
Package selinux-policy-3.9.16-38.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15
then log in and leave karma (feedback).

Comment 16 MM Masaeli 2011-08-13 09:04:00 UTC
The new package produces the bug after a restarting!
You van see the AVC below. Notice that policy Policy RPM is selinux-policy-3.9.16-38.fc15

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          Masood-laptop.Corpsedomain
Source RPM Packages           abrt-addon-kerneloops-2.0.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Masood-laptop.Corpsedomain
Platform                      Linux Masood-laptop.Corpsedomain
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   18
First Seen                    Sun 07 Aug 2011 11:41:53 PM IRDT
Last Seen                     Sat 13 Aug 2011 01:24:58 PM IRDT
Local ID                      dd7de24b-a90f-4268-b17f-4d3a879b4964

Raw Audit Messages
type=AVC msg=audit(1313225698.372:10): avc:  denied  { syslog_read } for  pid=1042 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1313225698.372:10): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=bf4090 a2=3fff a3=0 items=0 ppid=1 pid=1042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)

Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 17 Daniel Walsh 2011-08-15 11:03:04 UTC
Does 

restorecon -v /usr/bin/abrt-dump-oops 

Change the label of the program?

Comment 18 Oliver Henshaw 2011-08-15 11:47:05 UTC
# ls -Z /usr/bin/abrt-dump-oops 
-rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops
# restorecon -v /usr/bin/abrt-dump-oops
# ls -Z /usr/bin/abrt-dump-oops 
-rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops

Comment 19 Daniel Walsh 2011-08-15 12:15:52 UTC
Ok it looks like the back port did not happen.  

Miroslav can you recheck this.

Comment 20 emsatterlund 2011-08-16 23:26:29 UTC
My bug is fixed, I don't remember what I did to take care of it.  Thanks for the help.  Is there a way to delete this bug report so I no longer see it here?

Comment 21 emsatterlund 2011-08-16 23:26:50 UTC
My bug is fixed, I don't remember what I did to take care of it.  Thanks for the help.  Is there a way to delete this bug report so I no longer see it here?

Comment 22 Miroslav Grepl 2011-08-22 08:28:17 UTC
Definetely my fault. I did not change the label

# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 

will fix.

Comment 23 bugfinder 2011-08-22 08:42:09 UTC
chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument

Comment 24 MM Masaeli 2011-08-22 10:27:12 UTC
Bug finder is right.
My system says it too:
chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument

Comment 25 MM Masaeli 2011-08-22 10:39:58 UTC
But it fixed after executing these commands:
# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 
# grep chcon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 

but now a new SElinux alert appears here! I'm a little confused :p

Comment 26 Miroslav Grepl 2011-08-22 11:53:41 UTC
Typo, should be

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

Comment 27 Richard Marko 2011-08-23 12:14:43 UTC
Updating to selinux-policy-3.9.16-38.fc15 is not enought -

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

solves the problem.

Comment 28 Miroslav Grepl 2011-08-23 12:27:43 UTC
Yes,it will fix in selinux-policy-3.9.16-39.fc15

Comment 29 achmad 2011-08-27 07:46:45 UTC
it's helpfull

thanks in advance

Comment 30 Chris Trader 2011-09-06 03:36:24 UTC
I got this error while updating my system after a fresh install from LiveUSB.

Comment 31 Miroslav Grepl 2011-09-06 06:57:33 UTC
Yes, a new package will be available as an update soon.

For now, you can fix it using

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

Comment 32 Fedora Update System 2011-09-07 00:17:14 UTC
selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Richard Marko 2011-09-07 11:32:58 UTC
Not fixed in selinux-policy-3.9.16-38.fc15

Comment 34 Daniel Walsh 2011-09-07 18:26:00 UTC
What is not fixed?

What does matchpathcon /usr/bin/abrt-dump-oops

say?

Comment 35 Konstantin Svist 2011-09-07 22:02:33 UTC
Having same issue, selinux-policy-3.9.16-38.fc15

# matchpathcon /usr/bin/abrt-dump-oops
/usr/bin/abrt-dump-oops	system_u:object_r:abrt_helper_exec_t:s0

Comment 36 Miroslav Grepl 2011-09-08 11:41:13 UTC
How I wrote this is fixed in  selinux-policy-3.9.16-39.fc15.

# yum update selinux-policy --enablerepo=updates-testing

Comment 37 Donald Edward Winslow 2011-09-09 03:21:13 UTC
3.9.16-39 is not yet in updates-testing.

Comment 38 Miroslav Grepl 2011-09-09 05:27:59 UTC
If so, you can use the build from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=262145

Comment 39 Konstantin Svist 2011-09-13 15:28:22 UTC
appears fixed with 3.9.16-39.fc15

Comment 40 GoinEasy9 2011-09-13 23:28:49 UTC
I'm still getting the error with selinux-policy-3.9.16-39.fc15

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   70
First Seen                    Mon 18 Jul 2011 11:33:27 AM EDT
Last Seen                     Tue 13 Sep 2011 06:48:16 PM EDT
Local ID                      c62ad7b2-afd1-433c-90bd-8abfee80a956

Raw Audit Messages
type=AVC msg=audit(1315954096.657:13): avc:  denied  { syslog_read } for  pid=1197 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;


Using the work around, I get the error:

[root@fedora15kde13 GoinEasy9]# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@fedora15kde13 GoinEasy9]# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!

Comment 41 Miroslav Grepl 2011-09-14 05:31:39 UTC
restorecon -R -v /usr/bin/abrt-dump-oops

will fix it.

Comment 42 Richard Marko 2011-10-08 20:57:39 UTC
Fixed in selinux-policy-3.9.16-39.fc15 (now pushed to stable)

Test running fine, closing.


Note You need to log in before you can comment on or make changes to this bug.