8ec399
From d59475b77eb47e8270557f5828acf786cffcf8f8 Mon Sep 17 00:00:00 2001
8ec399
From: Jakub Filak <jfilak@redhat.com>
8ec399
Date: Thu, 7 May 2015 14:22:27 +0200
8ec399
Subject: [ABRT PATCH] dumpers: avoid AVC when creating dump directories
8ec399
8ec399
dump-oops and dump-xorg forces libreport to create a new dump directory
8ec399
owned by root and the group abrt. That requires querying passwd and
8ec399
group which is not yet allowed by selinux-policy:
8ec399
https://bugzilla.redhat.com/show_bug.cgi?id=1219464
8ec399
8ec399
This is a temporary patch for rhel-7.1.z
8ec399
8ec399
Signed-off-by: Jakub Filak <jfilak@redhat.com>
8ec399
---
8ec399
 src/plugins/abrt-dump-oops.c | 11 ++++++++++-
8ec399
 src/plugins/abrt-dump-xorg.c | 11 ++++++++++-
8ec399
 2 files changed, 20 insertions(+), 2 deletions(-)
8ec399
8ec399
diff --git a/src/plugins/abrt-dump-oops.c b/src/plugins/abrt-dump-oops.c
8ec399
index 05cb728..2dc93c9 100644
8ec399
--- a/src/plugins/abrt-dump-oops.c
8ec399
+++ b/src/plugins/abrt-dump-oops.c
8ec399
@@ -195,7 +195,16 @@ static unsigned create_oops_dump_dirs(GList *oops_list, unsigned oops_cnt)
8ec399
             log("Not going to make dump directories world readable because PrivateReports is on");
8ec399
 
8ec399
         mode = DEFAULT_DUMP_DIR_MODE;
8ec399
-        my_euid = 0;
8ec399
+        /* Keep my_euid=-1, it produces dump directories owned by the user root
8ec399
+         * and the group root.
8ec399
+         *
8ec399
+         * Using my_euid!=-1 forces libreport to read /etc/passwd and
8ec399
+         * /etc/group which generates SELinux AVC.
8ec399
+         */
8ec399
+        /* my_euid = 0; */
8ec399
+
8ec399
+        if (geteuid() != 0)
8ec399
+            error_msg_and_die("PrivateReports is on, you must run this tool as root.");
8ec399
     }
8ec399
 
8ec399
     pid_t my_pid = getpid();
8ec399
diff --git a/src/plugins/abrt-dump-xorg.c b/src/plugins/abrt-dump-xorg.c
8ec399
index 434dc76..545db7f 100644
8ec399
--- a/src/plugins/abrt-dump-xorg.c
8ec399
+++ b/src/plugins/abrt-dump-xorg.c
8ec399
@@ -88,7 +88,16 @@ static void save_bt_to_dump_dir(const char *bt, const char *exe, const char *rea
8ec399
             log("Not going to make dump directories world readable because PrivateReports is on");
8ec399
 
8ec399
         mode = DEFAULT_DUMP_DIR_MODE;
8ec399
-        my_euid = 0;
8ec399
+        /* Keep my_euid=-1, it produces dump directories owned by the user root
8ec399
+         * and the group root.
8ec399
+         *
8ec399
+         * Using my_euid!=-1 forces libreport to read /etc/passwd and
8ec399
+         * /etc/group which generates SELinux AVC.
8ec399
+         */
8ec399
+        /* my_euid = 0; */
8ec399
+
8ec399
+        if (geteuid() != 0)
8ec399
+            error_msg_and_die("PrivateReports is on, you must run this tool as root.");
8ec399
     }
8ec399
 
8ec399
     pid_t my_pid = getpid();
8ec399
-- 
8ec399
1.8.3.1
8ec399