Bug 739883 - SELinux is preventing /usr/sbin/abrtd from 'create' access on the lnk_file .lock
Summary: SELinux is preventing /usr/sbin/abrtd from 'create' access on the lnk_file .lock
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:bb6a870a99e5fe637767231e2a0...
Depends On:
Blocks: 671354
TreeView+ depends on / blocked
 
Reported: 2011-09-20 10:33 UTC by Michal Nowak
Modified: 2013-03-08 02:12 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-113.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:19:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Michal Nowak 2011-09-20 10:33:37 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         2.6.32-198.el6.x86_64
reason:         SELinux is preventing /usr/sbin/abrtd from 'create' accesses on the lnk_file .lock.
time:           Tue Sep 20 12:33:22 2011

description:
:SELinux is preventing /usr/sbin/abrtd from 'create' accesses on the lnk_file .lock.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that abrtd should be allowed create access on the .lock lnk_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep abrtd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:abrt_tmp_t:s0
:Target Objects                .lock [ lnk_file ]
:Source                        abrtd
:Source Path                   /usr/sbin/abrtd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           abrt-2.0.4-10.el6
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.7.19-110.el6
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              2.6.32-198.el6.x86_64 #1 SMP Thu Sep 15 23:40:38
:                              EDT 2011 x86_64 x86_64
:Alert Count                   2
:First Seen                    Tue 20 Sep 2011 12:25:15 PM CEST
:Last Seen                     Tue 20 Sep 2011 12:25:15 PM CEST
:Local ID                      9fc886dd-810b-4b02-a7e2-35869a9604a9
:
:Raw Audit Messages
:type=AVC msg=audit(1316514315.268:2195): avc:  denied  { create } for  pid=27543 comm="abrtd" name=".lock" scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:abrt_tmp_t:s0 tclass=lnk_file
:
:
:type=SYSCALL msg=audit(1316514315.268:2195): arch=x86_64 syscall=symlink success=no exit=EACCES a0=7fff2365a210 a1=7fff2365a1b0 a2=353435 a3=fffffffffffffff0 items=0 ppid=1 pid=27543 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=abrtd exe=/usr/sbin/abrtd subj=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
:
:Hash: abrtd,abrt_t,abrt_tmp_t,lnk_file,create
:
:audit2allow
:
:#============= abrt_t ==============
:allow abrt_t abrt_tmp_t:lnk_file create;
:
:audit2allow -R
:
:#============= abrt_t ==============
:allow abrt_t abrt_tmp_t:lnk_file create;
:

Comment 1 Michal Nowak 2011-09-20 10:38:50 UTC
I set 

  DumpLocation = /tmp/abrt

and let abrt to create the dir. It got following context:

  drwxr-xr-x. abrt abrt unconfined_u:object_r:abrt_tmp_t:s0 /tmp/abrt

When I crashed app and waited for being processed, I got AVC (comment #0) and following in /var/log/messages:

abrtd: Can't access '/tmp/abrt/ccpp-2011-09-20-12:24:39-27545': Permission denied
abrtd: Corrupted or bad dump /tmp/abrt/ccpp-2011-09-20-12:24:39-27545 (res:2), deleting
abrtd: Can't access '/tmp/abrt/ccpp-2011-09-20-12:24:39-27545': Permission denied
setroubleshoot: SELinux is preventing /usr/sbin/abrtd from create access on the lnk_file .lock. For complete SELinux messages. run sealert -l 9fc886dd-810b-4b02-a7e2-35869a9604a9
setroubleshoot: SELinux is preventing /usr/sbin/abrtd from create access on the lnk_file .lock. For complete SELinux messages. run sealert -l 9fc886dd-810b-4b02-a7e2-35869a9604a9

Comment 3 Miroslav Grepl 2011-09-20 10:57:57 UTC
Well, this is not the default location and in this case when you change the default location, you need to allow it using a local policy. 

I could add this to the default policy but I don't like idea to have it in the /tmp dir.

Comment 4 Jiri Moskovcak 2011-09-20 11:03:50 UTC
(In reply to comment #3)
> Well, this is not the default location and in this case when you change the
> default location, you need to allow it using a local policy. 
> 
> I could add this to the default policy but I don't like idea to have it in the
> /tmp dir.

- Sure, it was caused by lack of documentation, we need to warn users, that this will happen if they change the defaults and they have to take care about it themselves...

Comment 5 Daniel Walsh 2011-09-20 15:50:06 UTC
Miroslav lets add

manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)

If we allow the creation of the file and directory not much reason to prevent the link.

Comment 6 Miroslav Grepl 2011-09-21 12:52:25 UTC
I am fine with that. 

I just wanted to let know ABRT guyes, it should be probably documented.

I mean

DumpLocation = /tmp/abrt

Comment 11 errata-xmlrpc 2011-12-06 10:19:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.