FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-13-2011, 12:42 PM
Daniel J Walsh
 
Default avc - f15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/13/2011 07:44 AM, Genes MailLists wrote:
> On 07/13/2011 07:32 AM, Genes MailLists wrote:
>>
>> I started getting this today:
>>
>> (F15 + rawhide(3.0 kernel, procps)
>
>
> Forgot to say what I was doing to trigger this:
>
>
> This may be related (or may be abrt bug).
>
> What triggered this is the following (odd because selinux is
> permissive).
>
> I started chrome - chrome processes are running - but no chrome
> windows appear - instead I get abrt errors in /var/log/messages (see
> below) - I did killall chrome to kill off the processes which wont
> start properly.
>
> Here's what showed in messages - what seems to have happened is -
> statr chome (it segv's for some reason - which is very odd) - then
> abrt tried to pick up on it - get avc - and then setroubleshootd
> starts.
>
> After killing the chrome processes - waiting a while - yum erase abrt
> - start chrome it starts fine.
>
>
> gene/
>
>
>
> -------------- /var/log/messages -------------------
>
>
> Jul 13 07:28:21 lap3 abrt[25068]: Unrecognized variable
> 'DumpLocation' in '/etc/abrt/abrt.conf' Jul 13 07:28:21 lap3 abrtd:
> Unrecognized variable 'DumpLocation' in '/etc/abrt/abrt.conf' Jul 13
> 07:28:21 lap3 dbus: [system] Activating service
> name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jul 13
> 07:28:21 lap3 dbus: [system] Successfully activated service
> 'org.fedoraproject.Setroubleshootd' Jul 13 07:28:22 lap3 abrt[25068]:
> saved core dump of pid 25026 (/opt/google/chrome/chrome) to
> /var/spool/abrt/ccpp-2011-07-13-07:28:21-25026.new/coredump (63602688
> bytes) Jul 13 07:28:22 lap3 abrtd: Unrecognized variable
> 'DumpLocation' in '/etc/abrt/abrt.conf' Jul 13 07:28:22 lap3 abrtd:
> Directory 'ccpp-2011-07-13-07:28:21-25026' creation detected Jul 13
> 07:28:22 lap3 abrtd: Corrupted or bad dump
> /var/spool/abrt/ccpp-2011-07-13-07:28:21-25026 (res:2), deleting Jul
> 13 07:28:23 lap3 setroubleshoot: SELinux is preventing
> /usr/libexec/abrt-hook-ccpp from using the sys_ptrace capability.
> For complete SELinux messages. run sealert -l
> c6a02f63-3cd3-4f33-888b-3f047027dd01 Jul 13 07:28:23 lap3
> setroubleshoot: SELinux is preventing /usr/libexec/abrt-hook-ccpp
> from using the dac_override capability. For complete SELinux
> messages. run sealert -l 6ad9b5e6-ea7d-45ac-900f-7cac78bb5a0a Jul 13
> 07:28:23 lap3 setroubleshoot: SELinux is preventing
> /usr/libexec/abrt-hook-ccpp from using the dac_override capability.
> For complete SELinux messages. run sealert -l
> 6ad9b5e6-ea7d-45ac-900f-7cac78bb5a0a Jul 13 07:28:43 lap3 dbus:
> [system] Activating service name='org.fedoraproject.Setroubleshootd'
> (using servicehelper) Jul 13 07:28:43 lap3 dbus: [system]
> Successfully activated service 'org.fedoraproject.Setroubleshootd'
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

We had some mistaken file context for abrt apps, which should be fixed
in selinux-policy-3.9.16-33.fc15.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4dksMACgkQrlYvE4MpobOHwgCfaqWoM8M4Az +p5ugYrVR9U9N4
HvYAniVRGlMTxJlWIaqZIiz47CxRqmQs
=UBl1
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-13-2011, 12:47 PM
Genes MailLists
 
Default avc - f15

On 07/13/2011 08:42 AM, Daniel J Walsh wrote:

>
>
> We had some mistaken file context for abrt apps, which should be fixed
> in selinux-policy-3.9.16-33.fc15.src.rpm
>
>

Wonderful thanks ... I am finding abrt to interfere too much - so I
have erased it.

Thank you for the great work you guys do on selinux - and the always
fast and polite and helpful replies to the list or to bz's ....

It is very much appreciated.


gene
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-13-2011, 12:52 PM
Genes MailLists
 
Default avc - f15

On 07/13/2011 10:45 AM, Miroslav Grepl wrote:

> Hi,
> could you test it with the latest F15 policy which is available from koji
>
> http://koji.fedoraproject.org/koji/buildinfo?buildID=252337
> --

I would .. and I'm installing now ... but I kinda yum erased abrt ...
I'm finding it not as helpful as I'd like.

gene
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 07-13-2011, 02:45 PM
Miroslav Grepl
 
Default avc - f15

On 07/13/2011 11:32 AM, Genes MailLists wrote:
> I started getting this today:
>
> (F15 + rawhide(3.0 kernel, procps)
>
>
> ELinux is preventing /usr/libexec/abrt-hook-ccpp from using the
> dac_override capability.
>
> ***** Plugin dac_override (91.4 confidence) suggests
> ***********************
>
> If you want to help identify if domain needs this access or you have a
> file with the wrong permissions on your system
> Then turn on full auditing to get path information about the offending
> file and generate the error again.
> Do
>
> Turn on full auditing
> # auditctl -w /etc/shadow -p w
> Try to recreate AVC. Then execute
> # ausearch -m avc -ts recent
> If you see PATH record check ownership/permissions on file, and fix it,
> otherwise report as a bugzilla.
>
> ***** Plugin catchall (9.59 confidence) suggests
> ***************************
>
> If you believe that abrt-hook-ccpp should have the dac_override
> capability by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:abrt_helper_t:s0
> Target Context system_u:system_r:abrt_helper_t:s0
> Target Objects Unknown [ capability ]
> Source abrt-hook-ccpp
> Source Path /usr/libexec/abrt-hook-ccpp
> Port<Unknown>
> Host lap3.prv.sapience.com
> Source RPM Packages abrt-addon-ccpp-2.0.3-1.fc15
> Target RPM Packages
> Policy RPM selinux-policy-3.9.16-32.fc15
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name lap3.prv.sapience.com
> Platform Linux lap3.prv.sapience.com
> 3.0-0.rc7.git0.1.fc16.x86_64 #1 SMP Tue Jul 12
> 12:57:40 UTC 2011 x86_64 x86_64
> Alert Count 7
> First Seen Sun 10 Jul 2011 12:38:18 PM EDT
> Last Seen Wed 13 Jul 2011 07:28:22 AM EDT
> Local ID 6ad9b5e6-ea7d-45ac-900f-7cac78bb5a0a
>
> Raw Audit Messages
> type=AVC msg=audit(1310556502.342:162): avc: denied { dac_override }
> for pid=25068 comm="abrt-hook-ccpp" capability=1
> scontext=system_u:system_r:abrt_helper_t:s0
> tcontext=system_u:system_r:abrt_helper_t:s0 tclass=capability
>
>
> type=SYSCALL msg=audit(1310556502.342:162): arch=x86_64 syscall=unlink
> success=yes exit=0 a0=7fffc48cf140 a1=eed700 a2=fcfc a3=fffffffffffffff0
> items=0 ppid=23033 pid=25068 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm=abrt-hook-ccpp exe=/usr/libexec/abrt-hook-ccpp
> subj=system_u:system_r:abrt_helper_t:s0 key=(null)
>
> Hash: abrt-hook-ccpp,abrt_helper_t,abrt_helper_t,capability,dac_ov erride
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi,
could you test it with the latest F15 policy which is available from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=252337
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org