Linux Override Core Dump Processing

If you are facing troubles configuring a Linux core dump processing program, temporarily use the following technique to use a shell script as the core dump processing program which simply writes the core dump to a target directory.

1. Create writecore.sh. In general, well known executable directories are recommended in case of SELinux restrictions. In the following example, /usr/local/bin is used but change as needed. Also change the destination directory of /tmp/ to where you want to write the cores and the log. Ensure the target directory has sufficient disk space.

   cat > /usr/local/bin/writecore.sh <<"EOF"
   #!/bin/sh
   /usr/bin/echo "[$(/usr/bin/date)] Asked to create core for ${1}.${2}.${3}" >>/tmp/writecore.log
   /usr/bin/cat - > /tmp/core.${1}.${2}.${3}.dmp 2>>/tmp/writecore.log
   /usr/bin/echo "[$(/usr/bin/date)] Finished writing core for ${1}.${2}.${3}" >>/tmp/writecore.log
   EOF

2. Make the script executable:

   chmod +x /usr/local/bin/writecore.sh

3. If SELinux is in use, change the security context. For example:

   chcon --reference=/usr/bin/cat /usr/local/bin/writecore.sh

4. Print the current core_pattern for later reversion:

   sysctl kernel.core_pattern

5. Update the core_pattern:

   sysctl -w "kernel.core_pattern=|/usr/local/bin/writecore.sh %p %P %t"

6. Now core dumps should be processed through writecore.sh and written to the destination directory.
7. Reproduce the issue and find the core dumps in /tmp/.
8. Revert to the old core_pattern from step 4 above.

Potential issues:

1. Potential issues may be seen in the kernel logs such as journalctl -f.
   1. In the following example, SELinux denied executing writecore.sh

      Sep 06 10:41:52 localhost.localdomain audit[4985]: AVC avc:  denied  { map } for  pid=4985 comm="writecore.sh" path="/usr/bin/bash" dev="vda4"    ino=201689627 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
      Sep 06 10:41:52 localhost.localdomain kernel: audit: type=1400 audit(1694014912.395:806): avc:  denied  { map } for  pid=4985 comm="writecore.sh" path="/   usr/bin/bash" dev="vda4" ino=201689627 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file    permissive=0
      Sep 06 10:41:52 localhost.localdomain kernel: Core dump to |/usr/local/bin/writecore.sh pipe failed

      A rule could be added with a tool such as semanage or SELinux may be temporarily disabled:

      setenforce Permissive

Previous Section (Linux X11 Forwarding) | Next Section (Troubleshooting AIX Recipes) | Back to Table of Contents