arrfab / rpms / abrt

Forked from rpms/abrt 5 years ago
Clone
Blob Blame History Raw
From d59475b77eb47e8270557f5828acf786cffcf8f8 Mon Sep 17 00:00:00 2001
From: Jakub Filak <jfilak@redhat.com>
Date: Thu, 7 May 2015 14:22:27 +0200
Subject: [ABRT PATCH] dumpers: avoid AVC when creating dump directories

dump-oops and dump-xorg forces libreport to create a new dump directory
owned by root and the group abrt. That requires querying passwd and
group which is not yet allowed by selinux-policy:
https://bugzilla.redhat.com/show_bug.cgi?id=1219464

This is a temporary patch for rhel-7.1.z

Signed-off-by: Jakub Filak <jfilak@redhat.com>
---
 src/plugins/abrt-dump-oops.c | 11 ++++++++++-
 src/plugins/abrt-dump-xorg.c | 11 ++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/plugins/abrt-dump-oops.c b/src/plugins/abrt-dump-oops.c
index 05cb728..2dc93c9 100644
--- a/src/plugins/abrt-dump-oops.c
+++ b/src/plugins/abrt-dump-oops.c
@@ -195,7 +195,16 @@ static unsigned create_oops_dump_dirs(GList *oops_list, unsigned oops_cnt)
             log("Not going to make dump directories world readable because PrivateReports is on");
 
         mode = DEFAULT_DUMP_DIR_MODE;
-        my_euid = 0;
+        /* Keep my_euid=-1, it produces dump directories owned by the user root
+         * and the group root.
+         *
+         * Using my_euid!=-1 forces libreport to read /etc/passwd and
+         * /etc/group which generates SELinux AVC.
+         */
+        /* my_euid = 0; */
+
+        if (geteuid() != 0)
+            error_msg_and_die("PrivateReports is on, you must run this tool as root.");
     }
 
     pid_t my_pid = getpid();
diff --git a/src/plugins/abrt-dump-xorg.c b/src/plugins/abrt-dump-xorg.c
index 434dc76..545db7f 100644
--- a/src/plugins/abrt-dump-xorg.c
+++ b/src/plugins/abrt-dump-xorg.c
@@ -88,7 +88,16 @@ static void save_bt_to_dump_dir(const char *bt, const char *exe, const char *rea
             log("Not going to make dump directories world readable because PrivateReports is on");
 
         mode = DEFAULT_DUMP_DIR_MODE;
-        my_euid = 0;
+        /* Keep my_euid=-1, it produces dump directories owned by the user root
+         * and the group root.
+         *
+         * Using my_euid!=-1 forces libreport to read /etc/passwd and
+         * /etc/group which generates SELinux AVC.
+         */
+        /* my_euid = 0; */
+
+        if (geteuid() != 0)
+            error_msg_and_die("PrivateReports is on, you must run this tool as root.");
     }
 
     pid_t my_pid = getpid();
-- 
1.8.3.1