gdb and avc
Daniel J Walsh
dwalsh at redhat.com
Wed Jul 28 14:04:44 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/27/2010 01:55 PM, Genes MailLists wrote:
>
> When I debug (local compiled executable) as user with gdb I get this d:
>
> [selinux-policy-3.7.19-39.fc13.noarch]
>
> gene/
> ------------------------------
>
> Summary:
>
> SELinux is preventing /usr/bin/gdb "write" access on
> /usr/share/glib-2.0/gdb.
>
> Detailed Description:
>
> SELinux denied access requested by gdb. It is not expected that this
> access is
> required by gdb and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
>
> ...
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:usr_t:s0
> Target Objects /usr/share/glib-2.0/gdb [ dir ]
> Source gdb
> Source Path /usr/bin/gdb
> Port <Unknown>
> Host lap1.prv.sapience.com
> Source RPM Packages gdb-7.1-23.fc13
> Target RPM Packages glib2-devel-2.24.1-1.fc13
> Policy RPM selinux-policy-3.7.19-21.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name lap1.prv.sapience.com
> Platform Linux lap1.prv.sapience.com
> 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27
> 02:28:31 UTC 2010 x86_64 x86_64
> Alert Count 2
> First Seen Mon 31 May 2010 06:39:33 PM EDT
> Last Seen Mon 31 May 2010 06:39:33 PM EDT
> Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602
> Line Numbers
>
> Raw Audit Messages
>
> node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574):
> avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8
> ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>
> node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574):
> arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1
> a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="gdb" exe="/usr/bin/gdb"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
gdp ships some python code in /usr/share/glib-2.0/gdb without the
compiled versions. The first time gdm executes the python code it
attempts to write the compiled code to this directory, since gdb is
running under the xdm_t context it is denied.
If you just run python /usr/share/glib-2.0/gdb/*.py
It will generate the code and you will not see the AVC again. If you
search the bugzilla database there is an open bug on this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxQOPwACgkQrlYvE4MpobME2ACfbIhazINvOYWB2zWPXI+DNDLT
pUkAni3lh5RMcM7yKn4pUMOmCzpDy3on
=/Fu2
-----END PGP SIGNATURE-----
More information about the selinux
mailing list