Red Hat Bugzilla – Bug 863399
SELinux is preventing /usr/bin/abrt-dump-oops from 'getattr' accesses on the file /sys/kernel/debug/suspend_stats.
Last modified: 2012-12-20 10:59:05 EST
Description of problem: This happened while updating abrt Additional info: libreport version: 2.0.15 kernel: 3.5.5-2.fc17.x86_64 description: :SELinux is preventing /usr/bin/abrt-dump-oops from 'getattr' accesses on the file /sys/kernel/debug/suspend_stats. : :***** Plugin restorecon (99.5 confidence) suggests ************************* : :If si desidera sistemare l'etichetta. :L'etichetta predefinita di /sys/kernel/debug/suspend_stats dovrebbe essere sysfs_t. :Then è possibile avviare restorecon. :Do :# /sbin/restorecon -v /sys/kernel/debug/suspend_stats : :***** Plugin catchall (1.49 confidence) suggests *************************** : :If si crede che abrt-dump-oops dovrebbe avere possibilità di accesso getattr sui suspend_stats file in modo predefinito. :Then si dovrebbe riportare il problema come bug. :E' possibile generare un modulo di politica locale per consentire questo accesso. :Do :consentire questo accesso per il momento eseguendo: :# grep abrt-dump-oops /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:abrt_dump_oops_t:s0 :Target Context system_u:object_r:debugfs_t:s0 :Target Objects /sys/kernel/debug/suspend_stats [ file ] :Source abrt-dump-oops :Source Path /usr/bin/abrt-dump-oops :Port <Sconosciuto> :Host (removed) :Source RPM Packages abrt-addon-kerneloops-2.0.14-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-150.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.5.5-2.fc17.x86_64 #1 SMP Wed Oct : 3 13:20:37 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2012-10-05 13:20:38 CEST :Last Seen 2012-10-05 13:20:38 CEST :Local ID 6a9061ae-872e-4a6f-bc3f-992b7919d266 : :Raw Audit Messages :type=AVC msg=audit(1349436038.452:105): avc: denied { getattr } for pid=5867 comm="abrt-dump-oops" path="/sys/kernel/debug/suspend_stats" dev="debugfs" ino=1184 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file : : :type=SYSCALL msg=audit(1349436038.452:105): arch=x86_64 syscall=fstat success=yes exit=0 a0=3 a1=7fff29b05190 a2=7fff29b05190 a3=7fff29b04f10 items=0 ppid=5864 pid=5867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-dump-oops exe=/usr/bin/abrt-dump-oops subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null) : :Hash: abrt-dump-oops,abrt_dump_oops_t,debugfs_t,file,getattr : :audit2allow : :#============= abrt_dump_oops_t ============== :allow abrt_dump_oops_t debugfs_t:file getattr; : :audit2allow -R : :#============= abrt_dump_oops_t ============== :allow abrt_dump_oops_t debugfs_t:file getattr; :
Created attachment 622113 [details] File: type
Created attachment 622115 [details] File: hashmarkername
I just added this access to F18 policy.
Added. commit c7255b32c627bd7c8c23439ff9882b85a7f82264 Author: Miroslav Grepl <mgrepl@redhat.com> Date: Mon Oct 8 09:42:31 2012 +0200 abrt_dump_oops needs to read debugfs
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Package selinux-policy-3.10.0-153.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.