Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1896648
Summary: | SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | b.gatessucks |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 33 | CC: | 64hardware, aanuncibay, ajtbecool, alex, alex.go4more, al.krug64, anang.w120879, andrew.kavalov, asew54, automaticjack, bb, bellecodeur, bugzilla_fedora, bv06dnf, carl, chin_chillin, chplee, christof.schulze, dan, dariusbp8, decathorpe, devurandom, dominik, dr.fiala, duku, dwalsh, enyone, fatkasuvayu, forlorn, franarayah, fran, fukidid, gaurishkorpal01, gbonnema, grepl.miroslav, gtwilliams, heldwin, heraldo68, herwig.wiesinger, heyveld, IAGolem, iamn0w, info, io, jaco.bergh91, james, jan.public, jenkvanderslice, jerianjer, jfrieben, j.orti.alcaine, kdubrick, kmansoft, lvrabec, MathRrRr, matthew.fagnani, mdtha, mikhail.v.gavrilov, mkyral, mlschechter, mmalik, narilec, nyayukko, ochal, online, paul.destefano-redhat2, per.arnold, philipp.raich, plautrba, pmkellly, rafal.boruc, redhatbugzilla, rfe.gen, roblin67, rocketraman, sammyf42069, selinux, sevmek, sharry1679, Shurik, t.paulrobertson, ux.010101, valsu, vasil.minsk, vitaljax001, vmojzis, voj-tech, wedmer, xnwrsp, xzj8b3, yakky58, yugdas, zpytela |
Target Milestone: | --- | Flags: | zpytela:
needinfo?
(mkyral) |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:1037e9e314ab8138adb0012eefe42ba0707b90646a2c0eda6dc7588ca6af7dc7;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
b.gatessucks
2020-11-11 06:41:31 UTC
Similar problem has been detected: Blender import STL utility crashes application and causes this SELinux error hashmarkername: setroubleshoot kernel: 5.8.18-300.fc33.x86_64 package: selinux-policy-targeted-3.14.6-30.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar problem has been detected: gnome printer settings crashed hashmarkername: setroubleshoot kernel: 5.8.18-300.fc33.x86_64 package: selinux-policy-targeted-3.14.6-30.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Switching on an external hard disk, connected through a firewire port hashmarkername: setroubleshoot kernel: 5.8.18-300.fc33.x86_64 reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar here with file card0 ----- SELinux is preventing gdb from read access on the chr_file card0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gdb should be allowed read access on the card0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdb' --raw | audit2allow -M my-gdb # semodule -X 300 -i my-gdb.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:dri_device_t:s0 Target Objects card0 [ chr_file ] Source gdb Source Path gdb Port <Unknown> Host fergie Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-30.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-30.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fergie Platform Linux fergie 5.9.8-200.fc33.x86_64 #1 SMP Tue Nov 10 21:58:19 UTC 2020 x86_64 x86_64 Alert Count 10 First Seen 2020-11-15 11:46:19 MSK Last Seen 2020-11-15 11:46:19 MSK Local ID f1d5dc1e-899b-45e8-a667-df71e3a98b2a Raw Audit Messages type=AVC msg=audit(1605429979.62:890): avc: denied { read } for pid=5735 comm="gdb" name="card0" dev="devtmpfs" ino=665 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 Hash: gdb,abrt_t,dri_device_t,chr_file,read And here is a seemingly related failure, on most recent boot it happened almost 100 times in a few seconds. The file(s) it's trying to access is: ./var/lib/sddm/.cache/sddm-greeter/qmlcache/f608f40699df11a4f08066742c239d574011c351.qmlc There is a whole bunch of them in that directory. ------------------------- SELinux is preventing gdb from read access on the file 01afb6838a82a1f8d70b16ab3b5e324424f3d3ac.qmlc. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gdb should be allowed read access on the 01afb6838a82a1f8d70b16ab3b5e324424f3d3ac.qmlc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdb' --raw | audit2allow -M my-gdb # semodule -X 300 -i my-gdb.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:xdm_var_lib_t:s0 Target Objects 01afb6838a82a1f8d70b16ab3b5e324424f3d3ac.qmlc [ file ] Source gdb Source Path gdb Port <Unknown> Host fergie Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-30.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-30.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fergie Platform Linux fergie 5.9.8-200.fc33.x86_64 #1 SMP Tue Nov 10 21:58:19 UTC 2020 x86_64 x86_64 Alert Count 98 First Seen 2020-11-16 21:11:05 MSK Last Seen 2020-11-16 21:11:05 MSK Local ID a2b5b658-ea67-458e-abf3-fec8ce898cda Raw Audit Messages type=AVC msg=audit(1605550265.340:735): avc: denied { read } for pid=1848 comm="gdb" name="01afb6838a82a1f8d70b16ab3b5e324424f3d3ac.qmlc" dev="sda2" ino=657093 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0 Hash: gdb,abrt_t,xdm_var_lib_t,file,read *** Bug 1900052 has been marked as a duplicate of this bug. *** Similar problem has been detected: I cannot report a crash that happened in Firefox Wayland when sharing a window, probably due to this SELinux config. hashmarkername: setroubleshoot kernel: 5.9.9-200.fc33.x86_64 reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar problem has been detected: Happened while watching a MKV file hashmarkername: setroubleshoot kernel: 5.9.13-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-31.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: I was reading a web page and viewing a pdf file. When I scrolled downward, my session froze then the window manager restarted hashmarkername: setroubleshoot kernel: 5.9.13-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-31.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Logged in to Plasma session (Non-Wayland) from cold boot. hashmarkername: setroubleshoot kernel: 5.9.13-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-31.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Possibly when attempt to print test page on newly installed printer. hashmarkername: setroubleshoot kernel: 5.9.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-30.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar problem has been detected: Attempting to print a test page. hashmarkername: setroubleshoot kernel: 5.9.10-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-30.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar problem has been detected: As far as I can tell: Installing some new "Global Themes" in the KDE "System Settings" applet: A: requires elevated permissions and B: crashes the KDE "System Settings" applet Which invokes GDB to try and debug that crash. Which runs afoul of SELinux. Which creates this bug report. hashmarkername: setroubleshoot kernel: 5.9.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-33.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Firefox froze momentarily, and then i was notified that GDB debug was denied for DRI. hashmarkername: setroubleshoot kernel: 5.9.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-33.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Users seem to be reporting this AVC in relation to many different events. For me, I can reliably reproduce this AVC by causing an application to crash. (Turns out, a program i regularly use is broken in F33, so I can tell this AVC occurs every time I try to start it.) I think ABRT is trying to start gdb? Similar problem has been detected: updated cinnamon DE and rebooted hashmarkername: setroubleshoot kernel: 5.9.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-33.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Xorg with nouveau doesn't wake display or card from powered system suspend (sleep). When Xorg session is killed, SELinux consumes load on single thread of CPU on and floods system journal with gdb attempting to "read" "card0" hashmarkername: setroubleshoot kernel: 5.9.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-33.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: I thing that this happened when Nextcloud client crashed. hashmarkername: setroubleshoot kernel: 5.10.6-200.fc33.x86_64 reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Trying to run the game marsshooter. hashmarkername: setroubleshoot kernel: 5.10.6-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-33.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport *** Bug 1917977 has been marked as a duplicate of this bug. *** Similar problem has been detected: I logged out of electrum, after a few seconds some error occurred and started generating error reports. After this launch, this message appeared. hashmarkername: setroubleshoot kernel: 5.10.9-201.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar problem has been detected: was playing game and screen turned black then it came back with all sorts of artefacts on screen. did ctrl+alt+f4 screen suddenly came back in normal environnement. tons of SElinux alerts. when i try recommended command it says: Nothing to do and libsemanage.map_file: Unable to open my-gdb.pp (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file my-gdb.pp (No such file or directory). semodule: Failed on my-gdb.pp! hashmarkername: setroubleshoot kernel: 5.10.9-301.preempt_fsync.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport *** Bug 1930719 has been marked as a duplicate of this bug. *** *** Bug 1936220 has been marked as a duplicate of this bug. *** *** Bug 1936890 has been marked as a duplicate of this bug. *** Similar problem has been detected: Using Konsole hashmarkername: setroubleshoot kernel: 5.8.15-301.fc33.x86_64 package: selinux-policy-targeted-3.14.6-35.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Martine, We have a bunch of bugs for abrt executing gdb which subsequently requires access to various devices, capabilities, and permissions. It was first reported in this bz 2020-11-11, so it probably is related to some change prior to this date in how abrt gets to executing gdb. Can you tell us the chain of commands which eventually ends with gdb? Internal note - there is abrt-handle-event which is quite powerful: # ll -Za /usr/libexec/abrt-handle-event -rwxr-xr-x. 1 root root system_u:object_r:abrt_handle_event_exec_t:s0 24568 25. led 19.26 /usr/libexec/abrt-handle-event # seinfo -xt abrt_handle_event_t Types: 1 type abrt_handle_event_t, abrt_domain, application_domain_type, can_read_shadow_passwords, can_write_shadow_passwords, can_relabelto_shadow_passwords, can_change_object_identity, can_load_kernmodule, can_load_policy, can_setbool, can_setenforce, can_setsecparam, corenet_unconfined_type, corenet_unlabeled_type, devices_unconfined_type, domain, files_unconfined_type, filesystem_unconfined_type, kern_unconfined, kernel_system_state_reader, named_filetrans_domain, process_uncond_exempt, selinux_unconfined_type, storage_unconfined_type, unconfined_domain_type, dbusd_unconfined, sepgsql_unconfined_type, can_relabelto_binary_policy, userdom_filetrans_type, x_domain, xserver_unconfined_type; *** Bug 1896762 has been marked as a duplicate of this bug. *** *** Bug 1897468 has been marked as a duplicate of this bug. *** *** Bug 1897863 has been marked as a duplicate of this bug. *** *** Bug 1899215 has been marked as a duplicate of this bug. *** *** Bug 1901406 has been marked as a duplicate of this bug. *** *** Bug 1902602 has been marked as a duplicate of this bug. *** *** Bug 1903404 has been marked as a duplicate of this bug. *** *** Bug 1912029 has been marked as a duplicate of this bug. *** *** Bug 1915470 has been marked as a duplicate of this bug. *** *** Bug 1917228 has been marked as a duplicate of this bug. *** *** Bug 1929758 has been marked as a duplicate of this bug. *** *** Bug 1929759 has been marked as a duplicate of this bug. *** *** Bug 1936305 has been marked as a duplicate of this bug. *** *** Bug 1937021 has been marked as a duplicate of this bug. *** *** Bug 1938237 has been marked as a duplicate of this bug. *** *** Bug 1943780 has been marked as a duplicate of this bug. *** Similar problem has been detected: I was work on my laptop and the system STUCK and REBOOT. hashmarkername: setroubleshoot kernel: 5.11.11-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-36.fc33.noarch reason: SELinux is preventing gdb from 'open' accesses on the chr_file /dev/nvidia0. type: libreport Similar problem has been detected: Wehen login after update to Fedora 34 hashmarkername: setroubleshoot kernel: 5.11.12-300.fc34.x86_64 package: selinux-policy-targeted-34.2-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file nvidiactl. type: libreport Similar problem has been detected: I ran gdb on a (coredump of a) process that was accessing second GPU. hashmarkername: setroubleshoot kernel: 5.11.14-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card1. type: libreport Similar problem has been detected: DEFAULTH hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: I inserted my Logitech game controller in the usb and got this bug hashmarkername: setroubleshoot kernel: 5.11.17-300.fc34.x86_64 package: selinux-policy-targeted-34.4-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Happens when flatpak apps crash with ABRT installed. hashmarkername: setroubleshoot kernel: 5.12.2-300.fc34.x86_64 package: selinux-policy-targeted-34.5-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport *** Bug 1959183 has been marked as a duplicate of this bug. *** Similar problem has been detected: Disconnect USB-C dock. hashmarkername: setroubleshoot kernel: 5.11.19-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-37.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Survient après la mise à jour hashmarkername: setroubleshoot kernel: 5.11.20-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-37.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the fichier user. type: libreport Similar problem has been detected: Got through: from numpy import pi, sin, cos, mgrid dphi, dtheta = pi/250.0, pi/250.0 [phi,theta] = mgrid[0:pi+dphi*1.5:dphi,0:2*pi+dtheta*1.5:dtheta] m0 = 4; m1 = 3; m2 = 2; m3 = 3; m4 = 6; m5 = 2; m6 = 6; m7 = 4; r = sin(m0*phi)**m1 + cos(m2*phi)**m3 + sin(m4*theta)**m5 + cos(m6*theta)**m7 x = r*sin(phi)*cos(theta) y = r*cos(phi) z = r*sin(phi)*sin(theta) in mayavi2 on typing: from mayavi import mlab it crashed hashmarkername: setroubleshoot kernel: 5.11.20-300.fc34.x86_64 package: selinux-policy-targeted-34.7-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport On a desktop with an AMD graphics card, happens sometimes when electron applications crash. SELinux is preventing gdb from read access on the chr_file renderD128. Plugin: catchall SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. If you believe that gdb should be allowed read access on the renderD128 chr_file by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 'gdb' --raw | audit2allow -M my-gdb # semodule -X 300 -i my-gdb.pp *** Bug 1965531 has been marked as a duplicate of this bug. *** Similar problem has been detected: Upon returning from suspend-to-ram and login in to Xfce again. I loaded a new website in an already open Firefox tab, and the web render area began blinking randomly. Within 3-4 seconds, the X Server session died. I logged in again and immediatelly this SEL error kept continually coming up hashmarkername: setroubleshoot kernel: 5.12.6-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-37.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: Nach system re-start hashmarkername: setroubleshoot kernel: 5.12.8-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-37.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the Datei user. type: libreport Similar problem has been detected: This seems to happen every time when some GUI application crashes (most recently, the spotify flatpak, when closing the window), and gdb tries to generate a coredump for ABRT or something. I'm using the proprietary NVidia driver. hashmarkername: setroubleshoot kernel: 5.12.10-300.fc34.x86_64 package: selinux-policy-targeted-34.11-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file nvidiactl. type: libreport >
> I'm using the proprietary NVidia driver.
>
I experience this issue as well, but I am not using any proprietary drivers.
Similar problem has been detected: Plasma System Settings crashed, which probably started DrKonqi in the background (I cannot see it yet). hashmarkername: setroubleshoot kernel: 5.12.11-300.fc34.x86_64 package: selinux-policy-targeted-34.11-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar problem has been detected: I was tweaking some window buttons configuration, then i apply and plasma just crashes, it opens again and i get like 800 errors. hashmarkername: setroubleshoot kernel: 5.12.12-300.fc34.x86_64 package: selinux-policy-targeted-34.11-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport Similar problem has been detected: I was working on a presentation on libreoffice, when Xorg crashed. When I logged back in, I received a series of these denials. This is not the first time (the Xorg crash, and these SELinux denials after a crash). I think abrt tries to run something and fails. hashmarkername: setroubleshoot kernel: 5.12.12-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-38.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: I was using LibreOffice Calc. I clicked on a new cell to type a formula, and at that point the display first freezed, then flickered, I could briefly see the bootup/shutdown sequence of systemd units turning off, and then Xorg restarted and I was thrown back at the LightDM login screen. hashmarkername: setroubleshoot kernel: 5.12.13-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-38.fc33.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport seems to happen when flatpak apps crash I'm on amdgpu, fedora 34 Similar problem has been detected: right on desktop login hashmarkername: setroubleshoot kernel: 5.12.14-300.fc34.x86_64 package: selinux-policy-targeted-34.13-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file card0. type: libreport Similar problem has been detected: I closed KVM. hashmarkername: setroubleshoot kernel: 5.12.14-300.fc34.x86_64 package: selinux-policy-targeted-34.13-1.fc34.noarch reason: SELinux is preventing gdb from 'read' accesses on the chr_file renderD128. type: libreport |