Hide Forgot
SELinux is preventing /usr/bin/eu-unstrip from 'read' accesses on the directory /usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow eu-unstrip to have read access on the loaders directory Then you need to change the label on /usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders Do # semanage fcontext -a -t FILE_TYPE '/usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders' where FILE_TYPE is one of the following: dbusd_etc_t, var_run_t, var_spool_t, modules_object_t, abrt_tmp_t, var_lib_t, var_run_t, configfile, domain, rpm_var_cache_t, abrt_var_cache_t, proc_net_t, abrt_etc_t, var_log_t, abrt_var_log_t, rpm_var_lib_t, rpm_var_run_t, net_conf_t, inotifyfs_t, sysctl_crypto_t, abrt_var_run_t, sysctl_kernel_t, httpd_modules_t, abrt_t, lib_t, root_t, nsplugin_rw_t, usr_t, device_t, etc_t, abrt_t, bin_t, cert_t, lib_t, tmp_t, usr_t, var_t, device_t, devpts_t, locale_t, nsplugin_home_t, textrel_shlib_t, etc_t, nfs_t, proc_t, sysfs_t, root_t. Then execute: restorecon -v '/usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that eu-unstrip should be allowed read access on the loaders directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep eu-unstrip /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:mnt_t:s0 Target Objects /usr/lib/debug/usr/lib/gdk- pixbuf-2.0/2.10.0/loaders [ dir ] Source eu-unstrip Source Path /usr/bin/eu-unstrip Port <Unknown> Host (removed) Source RPM Packages elfutils-0.152-1.fc15 Target RPM Packages gdk-pixbuf2-debuginfo-2.23.3-2.fc15 Policy RPM selinux-policy-3.9.16-48.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.41.4-1.fc15.i686.PAE #1 SMP Tue Nov 29 11:47:02 UTC 2011 i686 i686 Alert Count 1 First Seen Wed 11 Jan 2012 11:02:20 PM CET Last Seen Wed 11 Jan 2012 11:02:20 PM CET Local ID ddb1da50-1664-40cc-96bc-519647f9dbe8 Raw Audit Messages type=AVC msg=audit(1326319340.568:3468): avc: denied { read } for pid=17909 comm="eu-unstrip" name="loaders" dev=sda6 ino=524561 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=dir type=SYSCALL msg=audit(1326319340.568:3468): arch=i386 syscall=open success=no exit=EACCES a0=929bb40 a1=8000 a2=0 a3=bf84aa38 items=0 ppid=17908 pid=17909 auid=4294967295 uid=2026 gid=2027 euid=2026 suid=2026 fsuid=2026 egid=2027 sgid=2027 fsgid=2027 tty=(none) ses=4294967295 comm=eu-unstrip exe=/usr/bin/eu-unstrip subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: eu-unstrip,abrt_t,mnt_t,dir,read audit2allow #============= abrt_t ============== allow abrt_t mnt_t:dir read; audit2allow -R #============= abrt_t ============== allow abrt_t mnt_t:dir read;
Did you have a package mounted on /mnt name loaders?
(In reply to comment #1) > Did you have a package mounted on /mnt name loaders? I'm not sure what do you mean. I have one autofs entry for /mnt plus two normal subdirectories in /mnt. I'm replicating part of the setup at another site (where all three subdirectories are mounted via NFS) that's why such a weird combination.
Well the problem is abrt is looking at this directory and trying to list it. Was the crash an app running in one of these directories?
/usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders belongs to gdk-pixbuf2-debuginfo-2.23.3-2.fc15.i686 and contains these files: libpixbufloader-ani.so.debug libpixbufloader-bmp.so.debug libpixbufloader-gif.so.debug libpixbufloader-icns.so.debug libpixbufloader-ico.so.debug libpixbufloader-jasper.so.debug libpixbufloader-jpeg.so.debug libpixbufloader-pcx.so.debug libpixbufloader-pnm.so.debug libpixbufloader-qtif.so.debug libpixbufloader-ras.so.debug libpixbufloader-tga.so.debug libpixbufloader-tiff.so.debug libpixbufloader-wbmp.so.debug libpixbufloader-xbm.so.debug libpixbufloader-xpm.so.debug I think the crash was /usr/bin/remmina which does use gdk-pixbuf2 (/usr/lib/libgdk_pixbuf-2.0.so.0).
If you run restorecon -R -v /usr/lib/debug what happens?
(In reply to comment #5) > If you run restorecon -R -v /usr/lib/debug > > what happens? No output from "restorecon -R -v /usr/lib/debug"
what does # ls -Z /mnt
ls -Z /mnt drwxr-xr-x. root root system_u:object_r:autofs_t:s0 delos-yum-repo drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 linuxapps drwxr-xr-x. root root system_u:object_r:mnt_t:s0 projects delos-yum-repo is from autofs linuxapps and projects are normal subdirectories
Anyways I blame this on abrt, it should not be listing the /mnt directory and probably should not be responding to third party crashes, which I believe is what triggered this.
So should we blacklist /mnt?
Nothing that we ship is installed on /mnt, so I don't see why you would watch that directory.
Where do you read from the AVC that abrt is reading /mnt?? To me it just seems that /usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders has a wrong context.
(In reply to comment #6) > (In reply to comment #5) > > If you run restorecon -R -v /usr/lib/debug > > > > what happens? > > No output from "restorecon -R -v /usr/lib/debug" And what does $ ls -dZ /usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders
ls -dZ /usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders drwxr-xr-x. root root unconfined_u:object_r:mnt_t:s0 /usr/lib/debug/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping