Bug 835083 - Get initrc_t AVCs on boot copying crash files
Get initrc_t AVCs on boot copying crash files
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-25 09:48 EDT by Tom London
Modified: 2012-06-25 11:35 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-25 11:35:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2012-06-25 09:48:19 EDT
Description of problem:

I ran 'gnome-tweak-tool' and it produced a crash.

A few minutes later, I rebooted (permissively).

After logging in with gnome, I noticed the 'abrt' panel notifier.

Turns out it was from me trying to run 'gnome-tweak-tool' just before
I rebooted. [No longer runs... :-( ]

After running the abrt app and deleting the crash report, I see the below AVCs.

Believe these are the messages when the crash state was saved:

Jun 23 07:57:34 tlondon abrt: detected unhandled Python exception in
'/usr/bin/gnome-tweak-tool'
Jun 23 07:57:34 tlondon abrtd: New client connected
Jun 23 07:57:34 tlondon abrtd: Directory
'pyhook-2012-06-23-07:57:34-18138' creation detected
Jun 23 07:57:34 tlondon abrt-server[18141]: Saved Python crash dump of
pid 18138 to /var/spool/abrt/pyhook-2012-06-23-07:57:34-18138
Jun 23 07:57:36 tlondon abrtd: New problem directory
/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138, processing

Here is me rebooting:

Jun 23 07:59:23 tlondon kernel: imklog 5.8.11, log source = /proc/kmsg started.
Jun 23 07:59:23 tlondon rsyslogd: [origin software="rsyslogd"
swVersion="5.8.11" x-pid="620" x-info="http://www.rsyslog.com"] start

Although I see no messages in /var/log/messages that seem related.

Appears surprising that abrt-dbus is running as initrc_t as shown by the audit messages below.

Here are the SELinux AVCs:


#============= initrc_t ==============
#!!!! The source type 'initrc_t' can write to a 'dir' of the following types:
# fonts_t, tmpfs_t, mnt_t, lockfile, user_fonts_t, initrc_state_t,
postgresql_db_t, virt_cache_t, faillog_t, svc_svc_t, var_run_t,
dirsrv_var_run_t, qpidd_var_run_t, ricci_var_lib_t, virt_var_run_t,
virt_lxc_var_run_t, named_conf_t, mysqld_db_t, initrc_tmp_t

allow initrc_t abrt_var_cache_t:dir { write remove_name add_name rmdir };
allow initrc_t abrt_var_cache_t:file { read unlink open };
allow initrc_t abrt_var_cache_t:lnk_file { create unlink };


----
time->Sat Jun 23 08:02:38 2012
type=PATH msg=audit(1340463758.128:86): item=2
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/.lock"
inode=1340 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=PATH msg=audit(1340463758.128:86): item=1
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/" inode=106591
dev=fd:00 mode=040750 ouid=491 ogid=1000 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=PATH msg=audit(1340463758.128:86): item=0 name="1783"
type=CWD msg=audit(1340463758.128:86):  cwd="/"
type=SYSCALL msg=audit(1340463758.128:86): arch=c000003e syscall=88
success=yes exit=0 a0=7fff5f37a750 a1=7fff5f37a6d0 a2=383331
a3=7fff5f37a460 items=3 ppid=1 pid=1783 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="abrt-dbus" exe="/usr/sbin/abrt-dbus"
subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1340463758.128:86): avc:  denied  { create } for
pid=1783 comm="abrt-dbus" name=".lock"
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=lnk_file
type=AVC msg=audit(1340463758.128:86): avc:  denied  { add_name } for
pid=1783 comm="abrt-dbus" name=".lock"
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir
type=AVC msg=audit(1340463758.128:86): avc:  denied  { write } for
pid=1783 comm="abrt-dbus" name="pyhook-2012-06-23-07:57:34-18138"
dev="dm-0" ino=106591
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir
----
time->Sat Jun 23 08:02:38 2012
type=PATH msg=audit(1340463758.151:87): item=1
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/.lock"
inode=1340 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=PATH msg=audit(1340463758.151:87): item=0
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/" inode=106591
dev=fd:00 mode=040750 ouid=491 ogid=1000 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=CWD msg=audit(1340463758.151:87):  cwd="/"
type=SYSCALL msg=audit(1340463758.151:87): arch=c000003e syscall=87
success=yes exit=0 a0=7fff5f37a8a0 a1=1ebd481 a2=383331
a3=7fff5f37a620 items=2 ppid=1 pid=1783 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="abrt-dbus" exe="/usr/sbin/abrt-dbus"
subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1340463758.151:87): avc:  denied  { unlink } for
pid=1783 comm="abrt-dbus" name=".lock" dev="dm-0" ino=1340
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=lnk_file
type=AVC msg=audit(1340463758.151:87): avc:  denied  { remove_name }
for  pid=1783 comm="abrt-dbus" name=".lock" dev="dm-0" ino=1340
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir
----
time->Sat Jun 23 08:02:38 2012
type=PATH msg=audit(1340463758.155:88): item=0
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/time"
inode=21014 dev=fd:00 mode=0100640 ouid=491 ogid=1000 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=CWD msg=audit(1340463758.155:88):  cwd="/"
type=SYSCALL msg=audit(1340463758.155:88): arch=c000003e syscall=2
success=yes exit=7 a0=1ebc240 a1=0 a2=1b6 a3=24 items=1 ppid=1
pid=1783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dbus"
exe="/usr/sbin/abrt-dbus"
subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1340463758.155:88): avc:  denied  { open } for
pid=1783 comm="abrt-dbus"
path="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/time"
dev="dm-0" ino=21014
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=file
type=AVC msg=audit(1340463758.155:88): avc:  denied  { read } for
pid=1783 comm="abrt-dbus" name="time" dev="dm-0" ino=21014
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=file
----
time->Sat Jun 23 08:02:51 2012
type=PATH msg=audit(1340463771.565:90): item=1
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/time"
inode=21014 dev=fd:00 mode=0100640 ouid=491 ogid=1000 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=PATH msg=audit(1340463771.565:90): item=0
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/" inode=106591
dev=fd:00 mode=040750 ouid=491 ogid=1000 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=CWD msg=audit(1340463771.565:90):  cwd="/"
type=SYSCALL msg=audit(1340463771.565:90): arch=c000003e syscall=87
success=yes exit=0 a0=1ebe970 a1=ffffffff a2=1ebe970 a3=fffffffc
items=2 ppid=1 pid=1783 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="abrt-dbus" exe="/usr/sbin/abrt-dbus"
subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1340463771.565:90): avc:  denied  { unlink } for
pid=1783 comm="abrt-dbus" name="time" dev="dm-0" ino=21014
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=file
type=AVC msg=audit(1340463771.565:90): avc:  denied  { remove_name }
for  pid=1783 comm="abrt-dbus" name="time" dev="dm-0" ino=21014
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir
----
time->Sat Jun 23 08:02:51 2012
type=PATH msg=audit(1340463771.598:91): item=1
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138" inode=106591
dev=fd:00 mode=040750 ouid=491 ogid=1000 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=PATH msg=audit(1340463771.598:91): item=0 name="/var/spool/abrt/"
inode=40979 dev=fd:00 mode=040755 ouid=491 ogid=475 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=CWD msg=audit(1340463771.598:91):  cwd="/"
type=SYSCALL msg=audit(1340463771.598:91): arch=c000003e syscall=84
success=yes exit=0 a0=1ebd450 a1=ffffffff a2=7fb651188738
a3=7fff5f37a710 items=2 ppid=1 pid=1783 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="abrt-dbus" exe="/usr/sbin/abrt-dbus"
subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1340463771.598:91): avc:  denied  { rmdir } for
pid=1783 comm="abrt-dbus" name="pyhook-2012-06-23-07:57:34-18138"
dev="dm-0" ino=106591
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir
----
time->Sat Jun 23 08:02:51 2012
type=PATH msg=audit(1340463771.565:89): item=2
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/.lock"
inode=1340 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=PATH msg=audit(1340463771.565:89): item=1
name="/var/spool/abrt/pyhook-2012-06-23-07:57:34-18138/" inode=106591
dev=fd:00 mode=040750 ouid=491 ogid=1000 rdev=00:00
obj=system_u:object_r:abrt_var_cache_t:s0
type=PATH msg=audit(1340463771.565:89): item=0 name="1783"
type=CWD msg=audit(1340463771.565:89):  cwd="/"
type=SYSCALL msg=audit(1340463771.565:89): arch=c000003e syscall=88
success=yes exit=0 a0=7fff5f37a820 a1=7fff5f37a7a0 a2=383331
a3=322d36302d323130 items=3 ppid=1 pid=1783 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="abrt-dbus" exe="/usr/sbin/abrt-dbus"
subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1340463771.565:89): avc:  denied  { add_name } for
pid=1783 comm="abrt-dbus" name=".lock"
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir
type=AVC msg=audit(1340463771.565:89): avc:  denied  { write } for
pid=1783 comm="abrt-dbus" name="pyhook-2012-06-23-07:57:34-18138"
dev="dm-0" ino=106591
scontext=system_u:system_r:initrc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
abrt-2.0.10-4.fc18.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Miroslav Grepl 2012-06-25 09:50:06 EDT
Folks,
I see 

comm="abrt-dbus"

is this something new?
Comment 2 Jiri Moskovcak 2012-06-25 10:23:01 EDT
(In reply to comment #1)
> Folks,
> I see 
> 
> comm="abrt-dbus"
> 
> is this something new?

- it's ABRT's policyKit backend started on demand
Comment 3 Daniel Walsh 2012-06-25 11:32:14 EDT
Label /usr/sbin/abrt-dbus	 as abrt_exec_t
Comment 4 Daniel Walsh 2012-06-25 11:35:13 EDT
Fixed in selinux-policy-3.11.0-7.fc18

Note You need to log in before you can comment on or make changes to this bug.