If you want to help identify if domain needs this access or you have a
file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending
file and generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
If you believe that abrt-hook-ccpp should have the dac_override
capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:abrt_helper_t:s0
Target Context system_u:system_r:abrt_helper_t:s0
Target Objects Unknown [ capability ]
Source abrt-hook-ccpp
Source Path /usr/libexec/abrt-hook-ccpp
Port <Unknown>
Host lap3.prv.sapience.com
Source RPM Packages abrt-addon-ccpp-2.0.3-1.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-32.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name lap3.prv.sapience.com
Platform Linux lap3.prv.sapience.com
3.0-0.rc7.git0.1.fc16.x86_64 #1 SMP Tue Jul 12
12:57:40 UTC 2011 x86_64 x86_64
Alert Count 7
First Seen Sun 10 Jul 2011 12:38:18 PM EDT
Last Seen Wed 13 Jul 2011 07:28:22 AM EDT
Local ID 6ad9b5e6-ea7d-45ac-900f-7cac78bb5a0a
Raw Audit Messages
type=AVC msg=audit(1310556502.342:162): avc: denied { dac_override }
for pid=25068 comm="abrt-hook-ccpp" capability=1
scontext=system_u:system_r:abrt_helper_t:s0
tcontext=system_u:system_r:abrt_helper_t:s0 tclass=capability
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
07-13-2011, 11:44 AM
Genes MailLists
avc - f15
On 07/13/2011 07:32 AM, Genes MailLists wrote:
>
> I started getting this today:
>
> (F15 + rawhide(3.0 kernel, procps)
Forgot to say what I was doing to trigger this:
This may be related (or may be abrt bug).
What triggered this is the following (odd because selinux is permissive).
I started chrome - chrome processes are running - but no chrome
windows appear - instead I get abrt errors in /var/log/messages (see
below) - I did killall chrome to kill off the processes which wont start
properly.
Here's what showed in messages - what seems to have happened is -
statr chome (it segv's for some reason - which is very odd) - then abrt
tried to pick up on it - get avc - and then setroubleshootd starts.
After killing the chrome processes - waiting a while - yum erase
abrt - start chrome it starts fine.
avc - f15
