Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1254188
Summary: | SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Filak <jfilak> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | Robert Krátký <rkratky> |
Priority: | medium | ||
Version: | 7.2 | CC: | autarch, bztdlinux, dominick.grift, dwalsh, edosurina, extras-qa, frankk74, geezuslucifer, japan, jberan, jfilak, jsmith.fedora, jtfas90, karsonijunior, lantw44, lmiksik, lvrabec, mgrepl, mkyral, mmalik, mvadkert, plautrba, pvrabec, rehol3, rkratky, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | abrt_hash:e6d10fcd6f18e995dfe405a4aefb445f20ab0971bcc32b9d72dad9e065f8049f | ||
Fixed In Version: | selinux-policy-3.13.1-66.el7 | Doc Type: | Known Issue |
Doc Text: |
SELinux AVC generated when ABRT collects backtraces
If the new, optional ABRT feature that allows collecting backtraces from crashed processes without the need to write a core-dump file to disk is enabled (using the *CreateCoreBacktrace* option in the */etc/abrt/plugins/CCpp.conf* configuration file), an SELinux AVC message is generated when the "abrt-hook-ccpp" tool tries to use the *sigchld* access on a crashing process in order to get the list of functions on the process' stack.
|
Story Points: | --- |
Clone Of: | 1245477 | Environment: | |
Last Closed: | 2016-11-04 02:20:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1245477, 1276305, 1276931 | ||
Bug Blocks: | 1295396, 1270165 |
Description
Jakub Filak
2015-08-17 11:48:57 UTC
commit 4aa1c3baa40ee46f933be6ae46d8ead33b1e7bc8 Author: Lukas Vrabec <lvrabec> Date: Tue Aug 18 17:57:21 2015 +0200 Allow kernel_t domtrans to abrt_dump_oops_t commit 6ed1233656a984f3a25b16eba149ea48c423393b Author: Lukas Vrabec <lvrabec> Date: Tue Aug 18 18:00:41 2015 +0200 Allow abrt_dump_oops_t to read proc_security_t files. commit 7c8b04988b7520e41b912153b262eb38ae48c292 Author: Lukas Vrabec <lvrabec> Date: Tue Aug 18 17:55:18 2015 +0200 Allow abrt_dump_oops to signull all domains Allow abrt_dump_oops to read all domains state Allow abrt_dump_oops to ptrace all domains commit 6bba8d31a4f39875b6d0e55eea7388bee5cefd0d Author: Lukas Vrabec <lvrabec> Date: Tue Aug 18 17:54:57 2015 +0200 Add interface abrt_dump_oops_domtrans() Moving back to correct state We need to allow in kernel_read_security_state() also list_dir_perms on sysctl_fs_t. I have prepared fix, will test it and then add fix to distgit. We should allow to search all sysctls. I back port all changes from Fedora related to this issue. This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |