Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 672104 Details for
Bug 891656
Possible (file descriptor?) leak: AVCs from /usr/lib/systemd/system-generators/lvm2-activation-generator
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
sealert output describing the AVCs
sealert.txt (text/plain), 3.95 KB, created by
Tom London
on 2013-01-03 14:48:56 UTC
(
hide
)
Description:
sealert output describing the AVCs
Filename:
MIME Type:
Creator:
Tom London
Created:
2013-01-03 14:48:56 UTC
Size:
3.95 KB
patch
obsolete
>SELinux is preventing /usr/lib/systemd/system-generators/lvm2-activation-generator from 'read, write' accesses on the file /run/systemd/dump-1-pH55Lj (deleted). > >***** Plugin leaks (86.2 confidence) suggests ****************************** > >If you want to ignore lvm2-activation-generator trying to read write access the dump-1-pH55Lj (deleted) file, because you believe it should not need this access. >Then you should report this as a bug. >You can generate a local policy module to dontaudit this access. >Do ># grep /usr/lib/systemd/system-generators/lvm2-activation-generator /var/log/audit/audit.log | audit2allow -D -M mypol ># semodule -i mypol.pp > >***** Plugin catchall (14.7 confidence) suggests *************************** > >If you believe that lvm2-activation-generator should be allowed read write access on the dump-1-pH55Lj (deleted) file by default. >Then you should report this as a bug. >You can generate a local policy module to allow this access. >Do >allow this access for now by executing: ># grep lvm2-activation /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > > >Additional Information: >Source Context system_u:system_r:lvm_t:s0 >Target Context system_u:object_r:init_var_run_t:s0 >Target Objects /run/systemd/dump-1-pH55Lj (deleted) [ file ] >Source lvm2-activation >Source Path /usr/lib/systemd/system-generators/lvm2 > -activation-generator >Port <Unknown> >Host tlondon.localhost.org >Source RPM Packages lvm2-2.02.98-4.fc19.x86_64 >Target RPM Packages >Policy RPM selinux-policy-3.11.1-67.fc19.noarch >Selinux Enabled True >Policy Type targeted >Enforcing Mode Enforcing >Host Name tlondon.localhost.org >Platform Linux tlondon.localhost.org > 3.7.1-1.local2.fc19.x86_64 #1 SMP Wed Dec 26 > 15:21:18 PST 2012 x86_64 x86_64 >Alert Count 1 >First Seen 2013-01-02 07:11:28 PST >Last Seen 2013-01-02 07:11:28 PST >Local ID 45a4a3dd-295d-48f5-8976-2649b4925030 > >Raw Audit Messages >type=AVC msg=audit(1357139488.827:97): avc: denied { read write } for pid=10723 comm="lvm2-activation" path=2F72756E2F73797374656D642F64756D702D312D704835354C6A202864656C6574656429 dev="tmpfs" ino=58085 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file > > >type=AVC msg=audit(1357139488.827:97): avc: denied { read write } for pid=10723 comm="lvm2-activation" path="/dev/initctl" dev="devtmpfs" ino=10371 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file > > >type=SYSCALL msg=audit(1357139488.827:97): arch=x86_64 syscall=execve success=yes exit=0 a0=7f217408e260 a1=7fff754082a0 a2=7fff75408ac0 a3=7f21731d9b10 items=2 ppid=1 pid=10723 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=lvm2-activation exe=/usr/lib/systemd/system-generators/lvm2-activation-generator subj=system_u:system_r:lvm_t:s0 key=(null) > >type=CWD msg=audit(1357139488.827:97): cwd=/ > >type=PATH msg=audit(1357139488.827:97): item=0 name=/usr/lib/systemd/system-generators/lvm2-activation-generator inode=921108 dev=fd:00 mode=0100555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lvm_exec_t:s0 > >type=PATH msg=audit(1357139488.827:97): item=1 name=(null) inode=918489 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 > >Hash: lvm2-activation,lvm_t,init_var_run_t,file,read,write > >audit2allow > >#============= lvm_t ============== >allow lvm_t init_var_run_t:file { read write }; >allow lvm_t initctl_t:fifo_file { read write }; > >audit2allow -R > >#============= lvm_t ============== >allow lvm_t init_var_run_t:file { read write }; >allow lvm_t initctl_t:fifo_file { read write }; > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=672104">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 891656
: 672104