|
 |
8ec399 |
From d59475b77eb47e8270557f5828acf786cffcf8f8 Mon Sep 17 00:00:00 2001
|
|
|
8ec399 |
From: Jakub Filak <jfilak@redhat.com>
|
|
|
8ec399 |
Date: Thu, 7 May 2015 14:22:27 +0200
|
|
|
8ec399 |
Subject: [ABRT PATCH] dumpers: avoid AVC when creating dump directories
|
|
|
8ec399 |
|
|
|
8ec399 |
dump-oops and dump-xorg forces libreport to create a new dump directory
|
|
|
8ec399 |
owned by root and the group abrt. That requires querying passwd and
|
|
|
8ec399 |
group which is not yet allowed by selinux-policy:
|
|
|
8ec399 |
https://bugzilla.redhat.com/show_bug.cgi?id=1219464
|
|
|
8ec399 |
|
|
|
8ec399 |
This is a temporary patch for rhel-7.1.z
|
|
|
8ec399 |
|
|
|
8ec399 |
Signed-off-by: Jakub Filak <jfilak@redhat.com>
|
|
|
8ec399 |
---
|
|
|
8ec399 |
src/plugins/abrt-dump-oops.c | 11 ++++++++++-
|
|
|
8ec399 |
src/plugins/abrt-dump-xorg.c | 11 ++++++++++-
|
|
|
8ec399 |
2 files changed, 20 insertions(+), 2 deletions(-)
|
|
|
8ec399 |
|
|
|
8ec399 |
diff --git a/src/plugins/abrt-dump-oops.c b/src/plugins/abrt-dump-oops.c
|
|
|
8ec399 |
index 05cb728..2dc93c9 100644
|
|
|
8ec399 |
--- a/src/plugins/abrt-dump-oops.c
|
|
|
8ec399 |
+++ b/src/plugins/abrt-dump-oops.c
|
|
|
8ec399 |
@@ -195,7 +195,16 @@ static unsigned create_oops_dump_dirs(GList *oops_list, unsigned oops_cnt)
|
|
|
8ec399 |
log("Not going to make dump directories world readable because PrivateReports is on");
|
|
|
8ec399 |
|
|
|
8ec399 |
mode = DEFAULT_DUMP_DIR_MODE;
|
|
|
8ec399 |
- my_euid = 0;
|
|
|
8ec399 |
+ /* Keep my_euid=-1, it produces dump directories owned by the user root
|
|
|
8ec399 |
+ * and the group root.
|
|
|
8ec399 |
+ *
|
|
|
8ec399 |
+ * Using my_euid!=-1 forces libreport to read /etc/passwd and
|
|
|
8ec399 |
+ * /etc/group which generates SELinux AVC.
|
|
|
8ec399 |
+ */
|
|
|
8ec399 |
+ /* my_euid = 0; */
|
|
|
8ec399 |
+
|
|
|
8ec399 |
+ if (geteuid() != 0)
|
|
|
8ec399 |
+ error_msg_and_die("PrivateReports is on, you must run this tool as root.");
|
|
|
8ec399 |
}
|
|
|
8ec399 |
|
|
|
8ec399 |
pid_t my_pid = getpid();
|
|
|
8ec399 |
diff --git a/src/plugins/abrt-dump-xorg.c b/src/plugins/abrt-dump-xorg.c
|
|
|
8ec399 |
index 434dc76..545db7f 100644
|
|
|
8ec399 |
--- a/src/plugins/abrt-dump-xorg.c
|
|
|
8ec399 |
+++ b/src/plugins/abrt-dump-xorg.c
|
|
|
8ec399 |
@@ -88,7 +88,16 @@ static void save_bt_to_dump_dir(const char *bt, const char *exe, const char *rea
|
|
|
8ec399 |
log("Not going to make dump directories world readable because PrivateReports is on");
|
|
|
8ec399 |
|
|
|
8ec399 |
mode = DEFAULT_DUMP_DIR_MODE;
|
|
|
8ec399 |
- my_euid = 0;
|
|
|
8ec399 |
+ /* Keep my_euid=-1, it produces dump directories owned by the user root
|
|
|
8ec399 |
+ * and the group root.
|
|
|
8ec399 |
+ *
|
|
|
8ec399 |
+ * Using my_euid!=-1 forces libreport to read /etc/passwd and
|
|
|
8ec399 |
+ * /etc/group which generates SELinux AVC.
|
|
|
8ec399 |
+ */
|
|
|
8ec399 |
+ /* my_euid = 0; */
|
|
|
8ec399 |
+
|
|
|
8ec399 |
+ if (geteuid() != 0)
|
|
|
8ec399 |
+ error_msg_and_die("PrivateReports is on, you must run this tool as root.");
|
|
|
8ec399 |
}
|
|
|
8ec399 |
|
|
|
8ec399 |
pid_t my_pid = getpid();
|
|
|
8ec399 |
--
|
|
|
8ec399 |
1.8.3.1
|
|
|
8ec399 |
|