Bug 836988 - abrtd: inotify_add_watch failed on '/var/spool/abrt-upload/': Permission denied
abrtd: inotify_add_watch failed on '/var/spool/abrt-upload/': Permission denied
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-02 08:45 EDT by Richard Marko
Modified: 2016-01-31 21:22 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 887892 (view as bug list)
Environment:
Last Closed: 2012-07-21 18:51:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Richard Marko 2012-07-02 08:45:57 EDT
Description of problem:
selinux is preventing abrt to use inotify on /var/spool/abrt-upload directory.

Version-Release number of selected component (if applicable):
current policies in Fedora 16, 17

How reproducible:
Always


Steps to Reproduce:
1. echo "WatchCrashdumpArchiveDir = /var/spool/abrt-upload/" > /etc/abrt/abrt.conf
2. service abrtd restart


Additional info:
----
time->Mon Jul  2 13:18:14 2012
type=SYSCALL msg=audit(1341227894.585:190): arch=c000003e syscall=254 success=no exit=-13 a0=5 a1=c4b4a0 a2=88 a3=7fff57ccb040 items=0 ppid=1 pid=5927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1341227894.585:190): avc:  denied  { read } for  pid=5927 comm="abrtd" name="abrt-upload" dev="vda2" ino=13508 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=dir
----
time->Mon Jul  2 13:18:23 2012
type=SYSCALL msg=audit(1341227903.633:193): arch=c000003e syscall=2 success=no exit=-13 a0=404077 a1=41 a2=1a4 a3=7fff38afd020 items=0 ppid=1 pid=6019 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1341227903.633:193): avc:  denied  { write } for  pid=6019 comm="abrtd" name="abrtd.pid" dev="tmpfs" ino=26672 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file
Comment 1 Richard Marko 2012-07-02 08:53:54 EDT
Second avc is related to abrtd.pid:

Jul  2 13:42:09 localhost abrtd: Can't open '/var/run/abrtd.pid': Permission denied
Jul  2 13:42:09 localhost abrtd: Error while initializing daemon
Jul  2 13:42:09 localhost abrtd: Exiting
Comment 2 Miroslav Grepl 2012-07-03 03:26:23 EDT
If you use this directory, you need to turn on the abrt_anon_write boolean

# setsebool -P abrt_anon_write 1

The second AVC is really strange. 

# restorecon -R -v /var/run/abrt*

and see if you can re-create it.
Comment 3 Richard Marko 2012-07-10 08:44:23 EDT
/var/spool/abrt-upload/ is our default directory for handling uploads (owned by abrt package) - would be better if access is allowed by default. Or is there any reason why abrt isn't allowed to watch this directory?

What we need is inotify watch and permission to delete (move) data from this directory to /var/spool/abrt/ dir.
Comment 4 Miroslav Grepl 2012-07-10 09:27:36 EDT
We designed this directory to have this labeling because it can be used by different services.
Comment 5 Jiri Moskovcak 2012-07-10 09:37:49 EDT
We can simply document it in deployment guide, but it's not very user friendly.
Comment 6 Miroslav Grepl 2012-07-10 09:46:51 EDT
The problem is this directory can be used by ftpd_t for example. So this is a reason why we added this labeling (together with Karel).
Comment 7 Daniel Walsh 2012-07-10 22:48:24 EDT
Does it only read from this directory or does it also write?  It should be allowed to read from the directory by default.
Comment 8 Miroslav Grepl 2012-07-11 02:15:58 EDT
I believe it also write. But ABRT folks please correct me if I am wrong.
Comment 9 Jiri Moskovcak 2012-07-11 07:46:09 EDT
Both, but if we can have at least read and inotify on that dir it would give us at least the basic functionality. Forbidden write means that we won't be able to remove the uploaded data from abrt-upload directory, but it's not critical for ABRT to process it (we can copy it and process is elsewhere).
Comment 10 Miroslav Grepl 2012-07-11 08:00:28 EDT
Yeap, I am adding "read" by default.
Comment 11 Daniel Walsh 2012-07-11 12:04:13 EDT
Is this just a directory that ftp and dovecot share or would other apps like httpd need access?
Comment 12 Jiri Moskovcak 2012-07-11 12:12:27 EDT
Any application which knows the right format can upload the problem_dir there, but the only actually existing use case are ftpd, scp and cp (for tests).
Comment 13 Daniel Walsh 2012-07-11 14:12:22 EDT
I am not looking at theoretical, just real world.  If ftpd is the only domain that we confine that can write to this directory then we should label it as abrt_upload_t and allow ftpd_t and abrt_t to write to it.
Comment 14 Richard Marko 2012-07-12 04:34:17 EDT
All of them are real world - scp is in my opinion more important than ftpd.
Comment 15 Fedora Update System 2012-07-18 09:04:15 EDT
selinux-policy-3.10.0-140.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-140.fc17
Comment 16 Fedora Update System 2012-07-19 05:11:06 EDT
Package selinux-policy-3.10.0-140.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-140.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10840/selinux-policy-3.10.0-140.fc17
then log in and leave karma (feedback).
Comment 17 Fedora Update System 2012-07-21 18:51:25 EDT
selinux-policy-3.10.0-140.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.