Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1276931 - SELinux is preventing abrt-hook-ccpp from almost everything
Summary: SELinux is preventing abrt-hook-ccpp from almost everything
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1273628 1274313 1276680 1277392 1277403 1279254 1279255 (view as bug list)
Depends On:
Blocks: 1254188 1276305 abrt-hook-ccpp-SELinux
TreeView+ depends on / blocked
 
Reported: 2015-11-01 14:03 UTC by alberth289346
Modified: 2015-12-02 00:05 UTC (History)
38 users (show)

Fixed In Version: selinux-policy-3.13.1-128.21.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
: abrt-hook-ccpp-SELinux (view as bug list)
Environment:
Last Closed: 2015-11-27 03:53:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
# ausearch -m AVC -ts today (4.45 KB, text/plain)
2015-11-02 08:36 UTC, Jakub Filak 		no flags Details
View All

Description alberth289346 2015-11-01 14:03:51 UTC 
Description of problem:
Abrt (again) hijacks core dumps of my programs that I am developing.
I have set ulimit -c explicitly to get dumps for further analysis, I really do not want some bloody system to hijack them.

Please note somewhere in the project that you should honour the ulimit. This is the second time already I have to report this. Please keep your hands away from my binaries!!!!!

Version-Release number of selected component (if applicable):
22

How reproducible:
1 make a program that crashes.
2 Enable ulimit -c.
3 Run the program, watch it crash.
4 See the message "core dumped".
5 See the core dump not in the directory where it should be, even though you enabled ulimit -c to get that.
6 Be highly annoyed that *again* the bloody OS is messing with your binaries.


Additional info:

I can see you want crash reports. I don't see why you want random binaries, I don't see why you do not honour my ulimit -c setting.

Please remember some people do other stuff than browsing and email.
Comment 1 Jakub Filak 2015-11-02 07:47:10 UTC 
I am terribly sorry for the inconvenience. I can assure you this is a bug and it is probably caused by selinux preventing abrt from creating the core dump file in the right place. We try really hard to discover these bugs and here is our test case verifying that abrt honors 'ulimit -c':
https://github.com/abrt/abrt/blob/master/tests/runtests/compat-cores/runtest.sh
Comment 2 Jakub Filak 2015-11-02 08:36:55 UTC 
Created attachment 1088488 [details]
# ausearch -m AVC -ts today

$ mkdir coredumps
$ cd coredumps/
$ ulimit -c unlimited
$ ulimit -c
unlimited

# Generate an arbitrary crash
$ will_segfault 
Will segfault.
Segmentation fault (core dumped)

# journal contains message logged by abrt-hook-ccpp trying to create the core file in the process' CWD
$ sudo journalctl -n 5
Nov 02 09:21:43 localhost.localdomain audit[1393]: <audit-1400> avc:  denied  { getattr } for  pid=1393 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Nov 02 09:21:43 localhost.localdomain abrt-hook-ccpp[1393]: Can't open process's CWD for CompatCore: Permission denied
Nov 02 09:21:43 localhost.localdomain audit[1393]: <audit-1400> avc:  denied  { read } for  pid=1393 comm="abrt-hook-ccpp" name="coredumps" dev="dm-1" ino=272302 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
Nov 02 09:21:43 localhost.localdomain abrt-hook-ccpp[1393]: Can't open /proc/sys/fs/suid_dumpable
Nov 02 09:21:43 localhost.localdomain kernel: will_segfault[1392]: segfault at 0 ip 00000000004008ae sp 00007ffdc0575ec0 error 4 in will_segfault[400000+1000]

# ABRT has detected the crash
$ abrt-cli list
id ecd85a3f16cb78eb236429b1b969eb870c76b2b3
reason:         will_segfault killed by SIGSEGV
time:           Mon 02 Nov 2015 09:21:43 AM CET
cmdline:        will_segfault
package:        will-crash-0.10-1.fc22
uid:            1000 (jfilak)
count:          1
Directory:      /var/spool/abrt/ccpp-2015-11-02-09:21:43-1392

# However, no core file has been created in the working directory
$ ls

# Turn SELinux permissive
$ sudo sentenforce 0

# Regenerated the crash
$ will_segfault 
Will segfault.
Segmentation fault (core dumped)

# The core file has been created
$ ls
core.1447

$ sudo ausearch -m AVC -ts today
$ rpm -q selinux-policy
selinux-policy-3.13.1-128.18.fc22.noarch
Comment 3 Seb L. 2015-11-06 07:51:17 UTC 
Hi,

Regarding the *first* AVC:

  avc:  denied  { getattr } for  pid=1393 comm="abrt-hook-ccpp" path="ipc:
  [4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:
  abrt_dump_oops_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
  permissive=0

=> missing context for the nsfs device

Same cause (again, only for the first AVC) as bug https://bugzilla.redhat.com/show_bug.cgi?id=1234757#c7 , same resolution (see nsfs_fix.patch to be applied to the selinux-policy repo: https://bugzilla.redhat.com/attachment.cgi?id=1090403 ).

Best regards,
Sébastien
Comment 4 Miroslav Grepl 2015-11-09 06:39:42 UTC 
*** Bug 1273628 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2015-11-09 06:39:57 UTC 
*** Bug 1274313 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2015-11-09 06:40:16 UTC 
*** Bug 1276680 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2015-11-09 06:40:30 UTC 
*** Bug 1277392 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2015-11-09 06:40:38 UTC 
*** Bug 1277403 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Grepl 2015-11-09 06:51:11 UTC 
Jakub,
(In reply to Jakub Filak from comment #2)
> Created attachment 1088488 [details]
> # ausearch -m AVC -ts today
> 
> $ mkdir coredumps
> $ cd coredumps/
> $ ulimit -c unlimited
> $ ulimit -c
> unlimited
> 
> # Generate an arbitrary crash
> $ will_segfault 
> Will segfault.
> Segmentation fault (core dumped)
> 

So there is no another way how to handle these coredumps on a system? We would need to "open" SELinux protection for abrt-hook-cpp at all. If I understand correctly it can write coredumps everywhere.
Comment 10 Miroslav Grepl 2015-11-09 07:25:10 UTC 
*** Bug 1245477 has been marked as a duplicate of this bug. ***
Comment 11 Jakub Filak 2015-11-09 08:09:57 UTC 
Yes, if a user sets "ulimit -c" to non-0 number or unlimited, then abrt-hook-ccpp saves the core dump file in the very same way as kernel does (man 5 core). Please note that abrt-hook-ccpp computes SELinux context for creating a new file for the crashing process [1] and uses the context to create the core dump file [2].


1: http://article.gmane.org/gmane.comp.security.selinux/21842
2: https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L223


<snip>
    getpidcon_raw(crashed_pid, &srccon);
    fgetfilecon_raw(crashed_cwd_fd, &dstcon);
    security_compute_create_raw(srccon, dstcon, string_to_security_class("file"), newcon);
    if (setfscreatecon_raw(newcon) < 0)
         goto err_exit;

    user_core_fd = openat(crashed_cwd_fd, core_file_name, O_WRONLY | O_CREAT | O_NOFOLLOW | O_EXCL, 0600);

    setfscreatecon_raw(NULL);
</snip>
Comment 12 Miroslav Grepl 2015-11-09 10:54:18 UTC 
*** Bug 1279254 has been marked as a duplicate of this bug. ***
Comment 13 Miroslav Grepl 2015-11-09 10:55:11 UTC 
*** Bug 1279255 has been marked as a duplicate of this bug. ***
Comment 14 Marco Guazzone 2015-11-09 13:36:35 UTC 
Description of problem:
Mail notification was running

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-201.fc22.x86_64
type:           libreport
Comment 15 cseh.szombathy.daniel 2015-11-09 16:15:01 UTC 
Description of problem:
Have no clue to be honest, just received a message

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-201.fc22.x86_64
type:           libreport
Comment 16 Vasco Rodrigues 2015-11-09 17:00:45 UTC 
Description of problem:
Evolution crashed and abrt doesn't have access to files for making a trace

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 17 David Novák 2015-11-09 23:26:46 UTC 
I have similar problem on Fedora 23 (should I create a new bug?)

It happens immediately after Nautilus crashed (which does quite often by the way..)

This is SELinux Alert Browser report:

SELinux is preventing abrt-hook-ccpp from getattr access on the file file.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow abrt-hook-ccpp to have getattr access on the file file
Then you need to change the label on file
Do
# semanage fcontext -a -t FILE_TYPE 'file'
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_lib_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, admin_home_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, anon_inodefs_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_tmp_t, cluster_var_log_t, cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, debugfs_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, gear_log_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hsqldb_tmp_t, httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, init_var_lib_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jetty_tmp_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_tmp_t, minidlna_log_t, mirrormanager_log_t, mock_tmp_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_log_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_script_tmp_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, naemon_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nova_log_t, nova_tmp_t, nscd_log_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenger_tmp_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, proc_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rolekit_tmp_t, rpcbind_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_log_t, samba_net_tmp_t, sanlock_log_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, syslogd_var_run_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, wireshark_tmp_t, wireshark_tmpfs_t, wtmp_t, xauth_tmp_t, xdm_log_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t. 
Then execute: 
restorecon -v 'file'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that abrt-hook-ccpp should be allowed getattr access on the file file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                file [ file ]
Source                        abrt-hook-ccpp
Source Path                   abrt-hook-ccpp
Port                          <Unknown>
Host                          david-nb
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-152.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     david-nb
Platform                      Linux david-nb 4.2.3-300.fc23.x86_64 #1 SMP Mon
                              Oct 5 15:42:54 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-11-08 19:44:38 CET
Last Seen                     2015-11-10 00:13:42 CET
Local ID                      9272c727-af42-4691-bac7-352d6c7936d0

Raw Audit Messages
type=AVC msg=audit(1447110822.396:940): avc:  denied  { getattr } for  pid=18557 comm="abrt-hook-ccpp" path="ipc:[4026531839]" dev="nsfs" ino=4026531839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: abrt-hook-ccpp,abrt_dump_oops_t,unlabeled_t,file,getattr
Comment 18 Gerard Ryan 2015-11-11 13:39:11 UTC 
I see the same as David in comment #17 regularly on F23.
Comment 19 Jonathan Wakely 2015-11-17 13:14:06 UTC 
abrt is still useless (or worse than useless) with selinux-policy-3.13.1-128.20.fc22.noarch

~$ rpm -q selinux-policy kernel
selinux-policy-3.13.1-128.20.fc22.noarch
kernel-4.1.10-200.fc22.x86_64
kernel-4.2.3-200.fc22.x86_64
kernel-4.2.5-201.fc22.x86_64

Rebooting to kernel-4.1.10-200 made the abrt gui start telling me about all the core dumps I've had for the past few weeks, so there seems to be some interaction with the kernel version, not just selinux-policy and abrt.
Comment 20 Jakub Filak 2015-11-19 11:49:42 UTC 
There are AVC that needs to be fixed yet:
https://bugzilla.redhat.com/show_bug.cgi?id=1276305#c21
Comment 21 Miroslav Grepl 2015-11-20 09:35:17 UTC 
https://github.com/fedora-selinux/selinux-policy

commit eede06c32cf71e671e8d3e67b2786153974cc4a6
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 13 09:51:39 2015 +0100

    Allow abrt-hook-ccpp to change SELinux user identity for created objects.

commit 08c81c0dd19a4d14a44ecf7a9d195b612e66186b
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 13 09:49:44 2015 +0100

    Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.

commit 9eb711b88bce8f0bd5664b8cf4d53ee97fc434a7
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 13 09:46:23 2015 +0100

    Allow setuid/setgid capabilities for abrt-hook-ccpp
Comment 22 Fedora Update System 2015-11-20 13:12:21 UTC 
selinux-policy-3.13.1-128.21.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 23 Fedora Update System 2015-11-21 17:51:24 UTC 
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 24 Vasco Rodrigues 2015-11-26 03:12:14 UTC 
Will this be pushed to F23?
Comment 25 Lukas Vrabec 2015-11-26 09:27:05 UTC 
commit 6cdd9128069aa3df468fe4f5af574e34e1813e9b
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 13 09:51:39 2015 +0100

    Allow abrt-hook-ccpp to change SELinux user identity for created objects.

commit d3a8af70e1ec6080e1bf89931df7a7946119ae05
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 13 09:49:44 2015 +0100

    Allow abrt-hook-ccpp to get attributes of all processes because of core_pattern.

commit 33977d7a773c9b32734a06c55e6b79201e9513b9
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 13 09:46:23 2015 +0100

    Allow setuid/setgid capabilities for abrt-hook-ccpp.

It's pushed in F23 already.
Comment 26 Fedora Update System 2015-11-27 03:52:21 UTC 
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Jonathan Wakely 2015-11-27 18:02:12 UTC 
As I noted in bodhi, I still get no core dumps, so this apparently isn't fixed.
Comment 28 Liam Beistle 2015-12-02 00:05:06 UTC 
Description of problem:
Cannot view hulu or netflix or amazon in fedora via chrome or firefox

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-200.fc22.x86_64
type:           libreport
Note You need to log in before you can comment on or make changes to this bug.