SELinux is preventing pyzor from getattr access on the file /usr/bin/rpm

Miroslav Grepl mgrepl at redhat.com
Wed Sep 9 08:00:18 UTC 2015 

On 09/07/2015 01:44 PM, Daniel J Walsh wrote:
> 
> 
> On 09/03/2015 12:29 PM, Tom Rivers wrote:
>> On 9/2/2015 17:25, Jason L Tibbitts III wrote
>>> TR> If that is the case, then my question is this: why is SELinux
>>> TR> blaming pyzor for something abrt is doing?
>>>
>>> Because it all happens in the context of the script.  abrt basically
>>> hooks into the backtrace generation logic and runs some extra code.
>>> This doesn't happen in a separate process.
>>
>> It's the whole "abrt basically hooks into the backtrace generation
>> logic" thing that I find particularly interesting.  Your explanation
>> makes it sound as if a separate program is able to gain access to an
>> existing process and hide its true identity.  I must be
>> misunderstanding the nuts and bolts of this because malware does the
>> exact same thing.
>>
>> It makes sense to me that if a running process invokes an external
>> program then that request will be under the context of the running
>> process because it is what is making the request.  However, a program
>> that has the ability to take on the guise of some other process and
>> make a request under a context that is not its own means it can hide. 
>> I don't see how that is a good thing especially with respect to
>> programs like SELinux who must be able to clearly identify who is
>> doing what in order to perform its role effectively.
>>
>>
>> Tom
>> -- 
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> SELinux does will not prevent a process with the proper rights from
> taking over another policy.  unconfined_t or kernel_t are both allowed
> to do pretty much anything they want from an SELinux point of view.  A
> confined process would obviously be blocked from doing this.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

I believe there fixes in the latest Fedoras (F23/Rawhide). I would open
a new bug and discuss it also with ABRT folks.

Thank you.

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

More information about the selinux mailing list