When I debug (local compiled executable) as user with gdb I get this d:
[selinux-policy-3.7.19-39.fc13.noarch]
gene/ ------------------------------
Summary:
SELinux is preventing /usr/bin/gdb "write" access on /usr/share/glib-2.0/gdb.
Detailed Description:
SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
...
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/share/glib-2.0/gdb [ dir ] Source gdb Source Path /usr/bin/gdb Port <Unknown> Host lap1.prv.sapience.com Source RPM Packages gdb-7.1-23.fc13 Target RPM Packages glib2-devel-2.24.1-1.fc13 Policy RPM selinux-policy-3.7.19-21.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name lap1.prv.sapience.com Platform Linux lap1.prv.sapience.com 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Mon 31 May 2010 06:39:33 PM EDT Last Seen Mon 31 May 2010 06:39:33 PM EDT Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602 Line Numbers
Raw Audit Messages
node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574): avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8 ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir
node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1 a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
On Tue, 2010-07-27 at 13:55 -0400, Genes MailLists wrote:
When I debug (local compiled executable) as user with gdb I get this d:
[selinux-policy-3.7.19-39.fc13.noarch]
gene/
Summary:
SELinux is preventing /usr/bin/gdb "write" access on /usr/share/glib-2.0/gdb.
Detailed Description:
SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
...
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/share/glib-2.0/gdb [ dir ] Source gdb Source Path /usr/bin/gdb Port <Unknown> Host lap1.prv.sapience.com Source RPM Packages gdb-7.1-23.fc13 Target RPM Packages glib2-devel-2.24.1-1.fc13 Policy RPM selinux-policy-3.7.19-21.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name lap1.prv.sapience.com Platform Linux lap1.prv.sapience.com 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Mon 31 May 2010 06:39:33 PM EDT Last Seen Mon 31 May 2010 06:39:33 PM EDT Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602 Line Numbers
Raw Audit Messages
node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574): avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8 ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir
node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1 a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
It seems odd to me that gdb is running as xdm_t. Can you give the output of ls -Z /usr/bin/gdb and also matchpathcon /usr/bin/gdb
Dave
Silly user error - ignore.
Duh moment - i messed up - there are 2 alerts in there - the gdb one is from May and I can not reproduce it.
The "new" one is about /usr/bin/xauth being disallowed access to ~/.ssh file descriptor.
I am not sure what triggered that one now ..
If I can reproduce I'll re-post.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/27/2010 01:55 PM, Genes MailLists wrote:
When I debug (local compiled executable) as user with gdb I get this d:
[selinux-policy-3.7.19-39.fc13.noarch]
gene/
Summary:
SELinux is preventing /usr/bin/gdb "write" access on /usr/share/glib-2.0/gdb.
Detailed Description:
SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
...
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/share/glib-2.0/gdb [ dir ] Source gdb Source Path /usr/bin/gdb Port <Unknown> Host lap1.prv.sapience.com Source RPM Packages gdb-7.1-23.fc13 Target RPM Packages glib2-devel-2.24.1-1.fc13 Policy RPM selinux-policy-3.7.19-21.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name lap1.prv.sapience.com Platform Linux lap1.prv.sapience.com 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Mon 31 May 2010 06:39:33 PM EDT Last Seen Mon 31 May 2010 06:39:33 PM EDT Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602 Line Numbers
Raw Audit Messages
node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574): avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8 ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir
node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1 a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
gdp ships some python code in /usr/share/glib-2.0/gdb without the compiled versions. The first time gdm executes the python code it attempts to write the compiled code to this directory, since gdb is running under the xdm_t context it is denied.
If you just run python /usr/share/glib-2.0/gdb/*.py
It will generate the code and you will not see the AVC again. If you search the bugzilla database there is an open bug on this issue.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
David P. Quigley -
Genes MailLists