On Wed, Dec 7, 2022 at 11:16 AM Robert McBroom via users <users@lists.fedoraproject.org> wrote:SELinux is preventing gdb from read access on the chr_file pcmC0D0p. What would call debug on boot sequence?More information may be found in /var/log/audit/audit.log. `sealert -l "*"` might also provide more information. I think chr_file is part of a SELinux macro. I'm not used to seeing it in an alert. Is that rule Ok? Maybe relabel the filesystem with `fixfiles -B onboot`? Jeff
There is nothing in audit.log referring to any of the files or processes in the alerts.
I've run
the relabel command several times and the alerts are still
there.
~]# sealert
-l "*"
SELinux is preventing gdb from read access on the chr_file
pcmC0D0p.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that gdb should be allowed read access on the
pcmC0D0p chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp
Additional Information:
Source Context
system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context
system_u:object_r:sound_device_t:s0
Target Objects pcmC0D0p [ chr_file ]
Source gdb
Source Path gdb
Port <Unknown>
Host RobertPC.attlocal.net
Source RPM Packages
Target RPM Packages
SELinux Policy RPM
selinux-policy-targeted-35.11-1.fc35.noarch
Local Policy RPM
selinux-policy-targeted-35.11-1.fc35.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name RobertPC.attlocal.net
Platform Linux RobertPC.attlocal.net
5.15.16-200.fc35.x86_64 #1 SMP Thu
Jan 20 15:38:18
UTC 2022 x86_64 x86_64
Alert Count 2
First Seen 2022-01-30 01:27:15 EST
Last Seen 2022-01-30 01:31:02 EST
Local ID
ecbe31dd-1a2a-4daf-bd46-8ef565e6b227
Raw Audit Messages
type=AVC msg=audit(1643524262.137:695): avc: denied { read }
for pid=74330 comm="gdb" name="pcmC0D0p" dev="devtmpfs" ino
=532 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissi
ve=1
Hash: gdb,abrt_t,sound_device_t,chr_file,read
SELinux is preventing gdb from open access on the chr_file
/dev/snd/pcmC0D0p.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that gdb should be allowed open access on the
pcmC0D0p chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp
Additional Information:
Source Context
system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context
system_u:object_r:sound_device_t:s0
Target Objects /dev/snd/pcmC0D0p [ chr_file ]
Source gdb
Source Path gdb
Port <Unknown>
Host RobertPC.attlocal.net
Source RPM Packages
Target RPM Packages
SELinux Policy RPM
selinux-policy-targeted-35.11-1.fc35.noarch
Local Policy RPM
selinux-policy-targeted-35.11-1.fc35.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name RobertPC.attlocal.net
Platform Linux RobertPC.attlocal.net
5.15.16-200.fc35.x86_64 #1 SMP Thu
Jan 20 15:38:18
UTC 2022 x86_64 x86_64
Alert Count 2
First Seen 2022-01-30 01:27:15 EST
Last Seen 2022-01-30 01:31:02 EST
Local ID
fdbfada1-c6ac-42a3-990d-f574024ef660
Raw Audit Messages
type=AVC msg=audit(1643524262.137:696): avc: denied { open }
for pid=74330 comm="gdb" path="/dev/snd/pcmC0D0p" dev="devt
mpfs" ino=532 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissive=1
Hash: gdb,abrt_t,sound_device_t,chr_file,open