Bug 739862 - SELinux is preventing /usr/sbin/abrtd from 'setattr' accesses on the directory abrt.
Summary: SELinux is preventing /usr/sbin/abrtd from 'setattr' accesses on the director...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: x86_64
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
Whiteboard: abrt_hash:5e0b226f0685c07966df6192adb...
Depends On:
Blocks: 671354
TreeView+ depends on / blocked
Reported: 2011-09-20 08:49 UTC by Michal Nowak
Modified: 2013-03-08 02:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-20 10:32:46 UTC

Attachments (Terms of Use)

Description Michal Nowak 2011-09-20 08:49:17 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         2.6.32-198.el6.x86_64
reason:         SELinux is preventing /usr/sbin/abrtd from 'setattr' accesses on the directory abrt.
time:           Tue Sep 20 10:48:59 2011

:SELinux is preventing /usr/sbin/abrtd from 'setattr' accesses on the directory abrt.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that abrtd should be allowed setattr access on the abrt directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep abrtd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:user_tmp_t:s0
:Target Objects                abrt [ dir ]
:Source                        abrtd
:Source Path                   /usr/sbin/abrtd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           abrt-2.0.4-10.el6
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.7.19-110.el6
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              2.6.32-198.el6.x86_64 #1 SMP Thu Sep 15 23:40:38
:                              EDT 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    Tue 20 Sep 2011 10:48:44 AM CEST
:Last Seen                     Tue 20 Sep 2011 10:48:44 AM CEST
:Local ID                      e5301bbc-2bc9-4325-be4c-74a49545963a
:Raw Audit Messages
:type=AVC msg=audit(1316508524.356:1871): avc:  denied  { setattr } for  pid=23982 comm="abrtd" name="abrt" dev=dm-0 ino=89965 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
:type=SYSCALL msg=audit(1316508524.356:1871): arch=x86_64 syscall=chown success=no exit=EACCES a0=11452c0 a1=ad a2=ad a3=7fffcca3ff20 items=0 ppid=23981 pid=23982 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=abrtd exe=/usr/sbin/abrtd subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
:Hash: abrtd,abrt_t,user_tmp_t,dir,setattr
:#============= abrt_t ==============
:allow abrt_t user_tmp_t:dir setattr;
:audit2allow -R
:#============= abrt_t ==============
:allow abrt_t user_tmp_t:dir setattr;

Comment 1 Michal Nowak 2011-09-20 08:51:12 UTC
I got this by setting 

  DumpLocation = /tmp/abrt

in abrt.conf and then restarted `abrt-ccpp' & `abrtd' services, AVC happened on the latter one.

Comment 3 Michal Nowak 2011-09-20 08:54:09 UTC
[newman@dhcp-25-35 ~]$ sudo service abrt-ccpp restart
[newman@dhcp-25-35 ~]$ sudo service abrtd restart
Stopping abrt daemon:                                      [  OK  ]
Starting abrt daemon: abrtd: Failed to start: got sig 17

Comment 4 Michal Nowak 2011-09-20 10:32:10 UTC
Withdrawing. Was my fault. I should let abrt to create the DUMP_DIR on it's own not to create it by hand.

Note You need to log in before you can comment on or make changes to this bug.