722747 – SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown.

Bug 722747 - SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown.

Summary: SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the syste...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:72a25e0199e...
Duplicates (1):	724825 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-17 09:49 UTC by MM Masaeli
Modified:	2016-05-11 18:21 UTC (History)
CC List:	159 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-08 20:57:39 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description MM Masaeli 2011-07-17 09:49:36 UTC

SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   abrt-dump-oops
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-34.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 17 Jul 2011 02:11:14 PM IRDT
Last Seen                     Sun 17 Jul 2011 02:11:14 PM IRDT
Local ID                      8947d70f-9cd4-4e6f-831a-9df3c4cc9081

Raw Audit Messages
type=AVC msg=audit(1310895674.679:11): avc:  denied  { syslog_read } for  pid=1047 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 1 Frederick Grose 2011-07-19 00:34:38 UTC

Just tried to launch google-chrome-unstable-14.0.825.0-92801.x86_64

Comment 2 Daniel Walsh 2011-07-19 12:22:20 UTC

We are working on a policy for abrt-dump-oops in f16, we probably should back port to F15.

Comment 3 Miroslav Grepl 2011-07-19 13:52:16 UTC

I am just testing this policy in f16 and looks good.

Comment 4 John Armitage 2011-07-21 19:35:25 UTC

Got this when updating the system on a new install.

Comment 5 Daniel Walsh 2011-07-22 20:19:09 UTC

*** Bug 724825 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2011-07-27 11:16:21 UTC

Fixed in selinux-policy-3.9.16-36.fc15

Comment 7 Fedora Update System 2011-08-05 13:59:53 UTC

selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15

Comment 8 Fedora Update System 2011-08-05 23:56:02 UTC

Package selinux-policy-3.9.16-37.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15
then log in and leave karma (feedback).

Comment 9 Heiko Adams 2011-08-06 09:40:24 UTC

It seems the problem still exists after applying the update and restarting my machine.

Comment 10 Miroslav Grepl 2011-08-08 06:07:37 UTC

What AVC are you getting?

Comment 11 MM Masaeli 2011-08-08 07:44:18 UTC

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          Masood-laptop.Corpsedomain
Source RPM Packages           abrt-addon-kerneloops-2.0.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-37.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Masood-laptop.Corpsedomain
Platform                      Linux Masood-laptop.Corpsedomain
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sun 07 Aug 2011 11:41:53 PM IRDT
Last Seen                     Mon 08 Aug 2011 12:05:38 PM IRDT
Local ID                      dd7de24b-a90f-4268-b17f-4d3a879b4964

Raw Audit Messages
type=AVC msg=audit(1312788938.457:8): avc:  denied  { syslog_read } for  pid=1006 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1312788938.457:8): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=2182090 a2=3fff a3=0 items=0 ppid=1 pid=1006 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)

Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 12 Miroslav Grepl 2011-08-08 12:40:54 UTC

Could you try to execute 

# yum reinstall selinux-policy-targeted --enablerepo=updates-testing

and make sure nothinh blows up.

Comment 13 Richard Marko 2011-08-08 15:07:36 UTC

Still present, 3.9.16-37 installed.

Comment 14 MM Masaeli 2011-08-08 18:13:24 UTC

(In reply to comment #12)
> Could you try to execute 
> 
> # yum reinstall selinux-policy-targeted --enablerepo=updates-testing
> 
> and make sure nothinh blows up.

I executed this, but the problem still occurs!

Comment 15 Fedora Update System 2011-08-12 18:20:04 UTC

Package selinux-policy-3.9.16-38.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15
then log in and leave karma (feedback).

Comment 16 MM Masaeli 2011-08-13 09:04:00 UTC

The new package produces the bug after a restarting!
You van see the AVC below. Notice that policy Policy RPM is selinux-policy-3.9.16-38.fc15

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          Masood-laptop.Corpsedomain
Source RPM Packages           abrt-addon-kerneloops-2.0.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Masood-laptop.Corpsedomain
Platform                      Linux Masood-laptop.Corpsedomain
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   18
First Seen                    Sun 07 Aug 2011 11:41:53 PM IRDT
Last Seen                     Sat 13 Aug 2011 01:24:58 PM IRDT
Local ID                      dd7de24b-a90f-4268-b17f-4d3a879b4964

Raw Audit Messages
type=AVC msg=audit(1313225698.372:10): avc:  denied  { syslog_read } for  pid=1042 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


type=SYSCALL msg=audit(1313225698.372:10): arch=x86_64 syscall=syslog success=no exit=EACCES a0=3 a1=bf4090 a2=3fff a3=0 items=0 ppid=1 pid=1042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_helper_t:s0 key=(null)

Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

Comment 17 Daniel Walsh 2011-08-15 11:03:04 UTC

Does 

restorecon -v /usr/bin/abrt-dump-oops 

Change the label of the program?

Comment 18 Oliver Henshaw 2011-08-15 11:47:05 UTC

# ls -Z /usr/bin/abrt-dump-oops 
-rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops
# restorecon -v /usr/bin/abrt-dump-oops
# ls -Z /usr/bin/abrt-dump-oops 
-rwxr-xr-x. root root system_u:object_r:abrt_helper_exec_t:s0 /usr/bin/abrt-dump-oops

Comment 19 Daniel Walsh 2011-08-15 12:15:52 UTC

Ok it looks like the back port did not happen.  

Miroslav can you recheck this.

Comment 20 emsatterlund 2011-08-16 23:26:29 UTC

My bug is fixed, I don't remember what I did to take care of it.  Thanks for the help.  Is there a way to delete this bug report so I no longer see it here?

Comment 21 emsatterlund 2011-08-16 23:26:50 UTC

My bug is fixed, I don't remember what I did to take care of it.  Thanks for the help.  Is there a way to delete this bug report so I no longer see it here?

Comment 22 Miroslav Grepl 2011-08-22 08:28:17 UTC

Definetely my fault. I did not change the label

# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 

will fix.

Comment 23 bugfinder 2011-08-22 08:42:09 UTC

chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument

Comment 24 MM Masaeli 2011-08-22 10:27:12 UTC

Bug finder is right.
My system says it too:
chcon: failed to change context of `/usr/bin/abrt-dump-oops' to `system_u:object_r:/usr/bin/abrt-dump-oops:s0': Invalid argument

Comment 25 MM Masaeli 2011-08-22 10:39:58 UTC

But it fixed after executing these commands:
# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 
# grep chcon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
# chcon -t /usr/bin/abrt-dump-oops /usr/bin/abrt-dump-oops 

but now a new SElinux alert appears here! I'm a little confused :p

Comment 26 Miroslav Grepl 2011-08-22 11:53:41 UTC

Typo, should be

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

Comment 27 Richard Marko 2011-08-23 12:14:43 UTC

Updating to selinux-policy-3.9.16-38.fc15 is not enought -

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

solves the problem.

Comment 28 Miroslav Grepl 2011-08-23 12:27:43 UTC

Yes,it will fix in selinux-policy-3.9.16-39.fc15

Comment 29 achmad 2011-08-27 07:46:45 UTC

it's helpfull

thanks in advance

Comment 30 Chris Trader 2011-09-06 03:36:24 UTC

I got this error while updating my system after a fresh install from LiveUSB.

Comment 31 Miroslav Grepl 2011-09-06 06:57:33 UTC

Yes, a new package will be available as an update soon.

For now, you can fix it using

chcon -t abrt_dump_oops_exec_t /usr/bin/abrt-dump-oops

Comment 32 Fedora Update System 2011-09-07 00:17:14 UTC

selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Richard Marko 2011-09-07 11:32:58 UTC

Not fixed in selinux-policy-3.9.16-38.fc15

Comment 34 Daniel Walsh 2011-09-07 18:26:00 UTC

What is not fixed?

What does matchpathcon /usr/bin/abrt-dump-oops

say?

Comment 35 Konstantin Svist 2011-09-07 22:02:33 UTC

Having same issue, selinux-policy-3.9.16-38.fc15

# matchpathcon /usr/bin/abrt-dump-oops
/usr/bin/abrt-dump-oops	system_u:object_r:abrt_helper_exec_t:s0

Comment 36 Miroslav Grepl 2011-09-08 11:41:13 UTC

How I wrote this is fixed in  selinux-policy-3.9.16-39.fc15.

# yum update selinux-policy --enablerepo=updates-testing

Comment 37 Donald Edward Winslow 2011-09-09 03:21:13 UTC

3.9.16-39 is not yet in updates-testing.

Comment 38 Miroslav Grepl 2011-09-09 05:27:59 UTC

If so, you can use the build from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=262145

Comment 39 Konstantin Svist 2011-09-13 15:28:22 UTC

appears fixed with 3.9.16-39.fc15

Comment 40 GoinEasy9 2011-09-13 23:28:49 UTC

I'm still getting the error with selinux-policy-3.9.16-39.fc15

SELinux is preventing /usr/bin/abrt-dump-oops from syslog_read access on the system Unknown.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that abrt-dump-oops should be allowed syslog_read access on the Unknown system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_helper_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        abrt-dump-oops
Source Path                   /usr/bin/abrt-dump-oops
Port                          <Unknown>
Host                          fedora15kde13
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora15kde13
Platform                      Linux fedora15kde13 2.6.40.4-5.fc15.i686.PAE #1
                              SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686
Alert Count                   70
First Seen                    Mon 18 Jul 2011 11:33:27 AM EDT
Last Seen                     Tue 13 Sep 2011 06:48:16 PM EDT
Local ID                      c62ad7b2-afd1-433c-90bd-8abfee80a956

Raw Audit Messages
type=AVC msg=audit(1315954096.657:13): avc:  denied  { syslog_read } for  pid=1197 comm="abrt-dump-oops" scontext=system_u:system_r:abrt_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: abrt-dump-oops,abrt_helper_t,kernel_t,system,syslog_read

audit2allow

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;

audit2allow -R

#============= abrt_helper_t ==============
allow abrt_helper_t kernel_t:system syslog_read;


Using the work around, I get the error:

[root@fedora15kde13 GoinEasy9]# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@fedora15kde13 GoinEasy9]# semodule -i mypol.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!

Comment 41 Miroslav Grepl 2011-09-14 05:31:39 UTC

restorecon -R -v /usr/bin/abrt-dump-oops

will fix it.

Comment 42 Richard Marko 2011-10-08 20:57:39 UTC

Fixed in selinux-policy-3.9.16-39.fc15 (now pushed to stable)

Test running fine, closing.

Note You need to log in before you can comment on or make changes to this bug.

1083479006
abiheiri
ach3com
ADent123
aktigger99645
alezflute
alienv
allen.jaloola
alpha
arifiauo
artishock
artur_lima
aslka126
atuimaginacion
baraary
barbara.xxx1975
bethebeast
bgodusky
blackcode
brad.banko
bugzilla
chris.trader
chrys87
chuongnse91
chydavy
cortocircuit
dami_dami
dan
darron_p
dcelix
denpanagioto
devonjanitz
dew
dlelliott99
doctore
dominick.grift
dungmai145
dwalsh
edosurina
edpsmgr
ekanter
enadir
eric.rannaud
ernschettino
eugenesatterlund
ewaisen
fall.from.eden
fgrose
flama.es
flokip
fry.futurateam
fry.kun
galerienv
g_harika
GoinEasy9
haildmitry
halon.by
hemant.toraskar
hugh.crowther
jamundso
jannhorn
jasonbangbang
jdulaney
jk
jlayton
jmda91
jmikulka
jmoskovc
johasixt
josian2200
julroy67
juniorbenyi
kb6tal
kikus87
knowledgeispower80
kwizart
larieu
laurent.rineau__fedora
le2ka
lemaire_eugene
leonyd.b
linux_03619
little.rascalz
lohithvnm
long
luya
maidenleo2000
mandreou
marbolangos
marco.guazzone
mauricephilips
m-brauer
me
metcalf-butcher.brendon.s
mgrepl
mikey
mjean-bat1991
mnowak
mpdcsu
mrbigdog320
mrnelvin
msava
mvadkert
naoki
nberrehouc
nextgeneration422
nhat.buiduy
nicolas.mailhot
nihar_smily17
nimilsoman
nlminhtl
nomad0227
nomnex
old.uncle.z
oliver.henshaw
oliver.steven
orion520a
pafcu
paul
posti_roska
pouet
raf64flo
rafael.mores
rafiii48
ramayu_sr17
rbwang1225
ribionudabout
rithmns
rob.d.wills
robertop
rockonthemoonfm
rodrigoatique
roman
root.ameen
rtmetz92
rvokal
sdunn2000
sebastian2cortes
sebastian.s.schmidt
seventhguardian
sgallagh
shiv
shnurapet
slawomir.czarko
soldierspain
stlux
stressfreechozeme
support
tap3ahchina
terrance.wickman
turanvural
uckelman
vbudrevic
vg.aetera
vic.uned
vmedrea
willkyc
younissf
zolddombsag