Bug 869896 - SELinux is preventing /usr/bin/abrt-action-save-package-data from 'write' accesses on the directory rpm.
Summary: SELinux is preventing /usr/bin/abrt-action-save-package-data from 'write' acc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:6381d1bfe8bacbe69699187e141...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-25 05:06 UTC by Vít Ondruch
Modified: 2013-04-18 02:49 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-18 02:48:58 UTC


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-25 05:06 UTC, Vít Ondruch
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-25 05:06 UTC, Vít Ondruch
no flags Details

Description Vít Ondruch 2012-10-25 05:06:18 UTC
Additional info:
libreport version: 2.0.16
kernel:         3.6.2-2.fc18.x86_64

description:
:SELinux is preventing /usr/bin/abrt-action-save-package-data from 'write' accesses on the directory rpm.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that abrt-action-save-package-data should be allowed write access on the rpm directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep abrt-action-sav /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:mock_var_lib_t:s0
:Target Objects                rpm [ dir ]
:Source                        abrt-action-sav
:Source Path                   /usr/bin/abrt-action-save-package-data
:Port                          <Neznámé>
:Host                          (removed)
:Source RPM Packages           abrt-2.0.16-1.fc18.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-36.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.2-2.fc18.x86_64 #1 SMP Wed Oct
:                              17 05:56:07 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-24 14:40:40 CEST
:Last Seen                     2012-10-24 14:40:40 CEST
:Local ID                      eb4fe709-0872-4f69-88c5-d6a223f5b7ee
:
:Raw Audit Messages
:type=AVC msg=audit(1351082440.946:681): avc:  denied  { write } for  pid=25266 comm="abrt-action-sav" name="rpm" dev="dm-0" ino=312013 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1351082440.946:681): arch=x86_64 syscall=open success=no exit=EACCES a0=1ad1030 a1=c2 a2=1a4 a3=2d items=0 ppid=25265 pid=25266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=abrt-action-sav exe=/usr/bin/abrt-action-save-package-data subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
:
:Hash: abrt-action-sav,abrt_t,mock_var_lib_t,dir,write
:
:audit2allow
:
:#============= abrt_t ==============
:#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
:# tmp_t, var_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, var_log_t, abrt_tmp_t, abrt_var_run_t, var_run_t, abrt_var_log_t, rpm_var_run_t
:
:allow abrt_t mock_var_lib_t:dir write;
:
:audit2allow -R
:
:#============= abrt_t ==============
:#!!!! The source type 'abrt_t' can write to a 'dir' of the following types:
:# tmp_t, var_t, rpm_var_cache_t, abrt_var_cache_t, var_spool_t, sosreport_tmp_t, var_log_t, abrt_tmp_t, abrt_var_run_t, var_run_t, abrt_var_log_t, rpm_var_run_t
:
:allow abrt_t mock_var_lib_t:dir write;
:

Comment 1 Vít Ondruch 2012-10-25 05:06:22 UTC
Created attachment 633158 [details]
File: type

Comment 2 Vít Ondruch 2012-10-25 05:06:24 UTC
Created attachment 633159 [details]
File: hashmarkername

Comment 3 Daniel Walsh 2012-10-25 18:10:33 UTC
Is /var/lib/rpm mislabeled?

restorecon -R -v /var/lib/rpm

Comment 4 Vít Ondruch 2012-10-26 07:22:53 UTC
The command is completely silent. And listing the directory labels prior and after, it doesn't look it would change anything.

Comment 5 Miroslav Grepl 2012-10-26 08:10:27 UTC
# ls -dZ /var/lib/rpm

will be propably ok.

Are you able reproduce a crash?

Comment 6 Vít Ondruch 2012-10-26 10:46:19 UTC
$ sudo ls -dZ /var/lib/rpm
drwxr-xr-x. root root system_u:object_r:rpm_var_lib_t:s0 /var/lib/rpm


Well, I don't know how that happened :/

Comment 7 Miroslav Grepl 2012-10-26 11:21:52 UTC
Any chance you were doing something with mock?

Comment 8 Vít Ondruch 2012-10-26 11:27:30 UTC
Very high chances :)

Comment 9 Daniel Walsh 2012-10-26 17:53:19 UTC
Strange that abrt would try to grab content from with a chroot?  Also the kernel gave a path of /var/lib/rpm eventhough it is in another directory.

I think we should dontaudit this since we really do not want abrt touch stuff in mock builds.

Comment 10 Vít Ondruch 2012-11-08 15:21:55 UTC
Running build in mock.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 11 Jiri Moskovcak 2012-11-22 14:34:17 UTC
(In reply to comment #9)
> Strange that abrt would try to grab content from with a chroot?  Also the
> kernel gave a path of /var/lib/rpm eventhough it is in another directory.
> 
> I think we should dontaudit this since we really do not want abrt touch
> stuff in mock builds.

Actually the intention was to make ABRT able to detect crashes during the builds (e.g: scriptlet crashes) and in that case it tries to open the RPM from mock to get the pkg versions used in mock.

Comment 12 Vít Ondruch 2013-01-07 14:23:40 UTC
build in mock

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 13 Tim Waugh 2013-03-26 12:01:23 UTC
Building packages in mock.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 14 Daniel Walsh 2013-03-26 17:37:13 UTC
66f6289356525194bc599e687f664e0f119fd9a9 in git allows this.

Comment 15 Miroslav Grepl 2013-03-27 13:32:27 UTC
Fixed in selinux-policy-3.11.1-88.fc18.noarch

Comment 16 Fedora Update System 2013-04-15 11:09:36 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 17 Fedora Update System 2013-04-16 00:05:05 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2013-04-18 02:49:00 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.