Linux Override Core Dump Processing

If you are facing troubles configuring a Linux core dump processing program, temporarily use the following technique to use a shell script as the core dump processing program which simply writes the core dump to a target directory.

  1. Create writecore.sh. In general, well known executable directories are recommended in case of SELinux restrictions. In the following example, /usr/local/bin is used but change as needed. Also change the destination directory of /tmp/ to where you want to write the cores and the log. Ensure the target directory has sufficient disk space.
    cat > /usr/local/bin/writecore.sh <<"EOF"
    #!/bin/sh
    /usr/bin/echo "[$(/usr/bin/date)] Asked to create core for ${1}.${2}.${3}" >>/tmp/writecore.log
    /usr/bin/cat - > /tmp/core.${1}.${2}.${3}.dmp 2>>/tmp/writecore.log
    /usr/bin/echo "[$(/usr/bin/date)] Finished writing core for ${1}.${2}.${3}" >>/tmp/writecore.log
    EOF
  2. Make the script executable:
    chmod +x /usr/local/bin/writecore.sh
  3. If SELinux is in use, change the security context. For example:
    chcon --reference=/usr/bin/cat /usr/local/bin/writecore.sh
  4. Print the current core_pattern for later reversion:
    sysctl kernel.core_pattern
  5. Update the core_pattern:
    sysctl -w "kernel.core_pattern=|/usr/local/bin/writecore.sh %p %P %t"
  6. Now core dumps should be processed through writecore.sh and written to the destination directory.
  7. Reproduce the issue and find the core dumps in /tmp/.
  8. Revert to the old core_pattern from step 4 above.

Potential issues:

  1. Potential issues may be seen in the kernel logs such as journalctl -f.
    1. In the following example, SELinux denied executing writecore.sh
      Sep 06 10:41:52 localhost.localdomain audit[4985]: AVC avc:  denied  { map } for  pid=4985 comm="writecore.sh" path="/usr/bin/bash" dev="vda4"    ino=201689627 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
      Sep 06 10:41:52 localhost.localdomain kernel: audit: type=1400 audit(1694014912.395:806): avc:  denied  { map } for  pid=4985 comm="writecore.sh" path="/   usr/bin/bash" dev="vda4" ino=201689627 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file    permissive=0
      Sep 06 10:41:52 localhost.localdomain kernel: Core dump to |/usr/local/bin/writecore.sh pipe failed
      A rule could be added with a tool such as semanage or SELinux may be temporarily disabled:
      setenforce Permissive