12:55 p.m.
When I debug (local compiled executable) as user with gdb I get this d:
[selinux-policy-3.7.19-39.fc13.noarch]
gene/
------------------------------
Summary:
SELinux is preventing /usr/bin/gdb "write" access on
/usr/share/glib-2.0/gdb.
Detailed Description:
SELinux denied access requested by gdb. It is not expected that this
access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
...
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:usr_t:s0
Target Objects /usr/share/glib-2.0/gdb [ dir ]
Source gdb
Source Path /usr/bin/gdb
Port <Unknown>
Host lap1.prv.sapience.com
Source RPM Packages gdb-7.1-23.fc13
Target RPM Packages glib2-devel-2.24.1-1.fc13
Policy RPM selinux-policy-3.7.19-21.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name lap1.prv.sapience.com
Platform Linux lap1.prv.sapience.com
2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27
02:28:31 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Mon 31 May 2010 06:39:33 PM EDT
Last Seen Mon 31 May 2010 06:39:33 PM EDT
Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602
Line Numbers
Raw Audit Messages
node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574):
avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8
ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir
node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574):
arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1
a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="gdb" exe="/usr/bin/gdb"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
1:38 p.m.
On Tue, 2010-07-27 at 13:55 -0400, Genes MailLists wrote:
When I debug (local compiled executable) as user with gdb I get this
d:
[selinux-policy-3.7.19-39.fc13.noarch]
gene/
------------------------------
Summary:
SELinux is preventing /usr/bin/gdb "write" access on
/usr/share/glib-2.0/gdb.
Detailed Description:
SELinux denied access requested by gdb. It is not expected that this
access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
...
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:usr_t:s0
Target Objects /usr/share/glib-2.0/gdb [ dir ]
Source gdb
Source Path /usr/bin/gdb
Port <Unknown>
Host lap1.prv.sapience.com
Source RPM Packages gdb-7.1-23.fc13
Target RPM Packages glib2-devel-2.24.1-1.fc13
Policy RPM selinux-policy-3.7.19-21.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name lap1.prv.sapience.com
Platform Linux lap1.prv.sapience.com
2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27
02:28:31 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Mon 31 May 2010 06:39:33 PM EDT
Last Seen Mon 31 May 2010 06:39:33 PM EDT
Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602
Line Numbers
Raw Audit Messages
node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574):
avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8
ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir
node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574):
arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1
a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="gdb" exe="/usr/bin/gdb"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
It seems odd to me that gdb is running as xdm_t. Can you give the output
of ls -Z /usr/bin/gdb and also matchpathcon /usr/bin/gdb
Dave
7:40 p.m.
Silly user error - ignore.
Duh moment - i messed up - there are 2 alerts in there - the gdb one
is from May and I can not reproduce it.
The "new" one is about /usr/bin/xauth being disallowed access to
~/.ssh file descriptor.
I am not sure what triggered that one now ..
If I can reproduce I'll re-post.
9:04 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/27/2010 01:55 PM, Genes MailLists wrote:
When I debug (local compiled executable) as user with gdb I get this d:
[selinux-policy-3.7.19-39.fc13.noarch]
gene/
------------------------------
Summary:
SELinux is preventing /usr/bin/gdb "write" access on
/usr/share/glib-2.0/gdb.
Detailed Description:
SELinux denied access requested by gdb. It is not expected that this
access is
required by gdb and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
...
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:usr_t:s0
Target Objects /usr/share/glib-2.0/gdb [ dir ]
Source gdb
Source Path /usr/bin/gdb
Port <Unknown>
Host lap1.prv.sapience.com
Source RPM Packages gdb-7.1-23.fc13
Target RPM Packages glib2-devel-2.24.1-1.fc13
Policy RPM selinux-policy-3.7.19-21.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name lap1.prv.sapience.com
Platform Linux lap1.prv.sapience.com
2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27
02:28:31 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Mon 31 May 2010 06:39:33 PM EDT
Last Seen Mon 31 May 2010 06:39:33 PM EDT
Local ID 93cf7fa2-26ba-4ce9-8bec-2d73222d4602
Line Numbers
Raw Audit Messages
node=lap1.prv.sapience.com type=AVC msg=audit(1275345573.390:33574):
avc: denied { write } for pid=6060 comm="gdb" name="gdb" dev=sda8
ino=929092 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir
node=lap1.prv.sapience.com type=SYSCALL msg=audit(1275345573.390:33574):
arch=c000003e syscall=2 success=no exit=-13 a0=7fffc10c7b30 a1=2c1
a2=81a4 a3=7fcbd6e98ad0 items=0 ppid=6058 pid=6060 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="gdb" exe="/usr/bin/gdb"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
gdp ships some python code in /usr/share/glib-2.0/gdb without the
compiled versions. The first time gdm executes the python code it
attempts to write the compiled code to this directory, since gdb is
running under the xdm_t context it is denied.
If you just run python /usr/share/glib-2.0/gdb/*.py
It will generate the code and you will not see the AVC again. If you
search the bugzilla database there is an open bug on this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxQOPwACgkQrlYvE4MpobME2ACfbIhazINvOYWB2zWPXI+DNDLT
pUkAni3lh5RMcM7yKn4pUMOmCzpDy3on
=/Fu2
-----END PGP SIGNATURE-----
3914
days inactive
3915
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Daniel J Walsh -
David P. Quigley -
Genes MailLists