Bug 210167
Summary: | dmidecode/cfengine issue | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dwalsh, robatino |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-02-14 15:17:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2006-10-10 15:28:07 UTC
This may be related to bug #204176. audit(1160492510.915:120): avc: denied { use } for pid=31428 comm="dmidecode" name="[9503884]" dev=pipefs ino=9503884 scontext=user_u:system_r:dmidecode_t:s0 tcontext=user_u:system_r:crond_t:s0-s0:c0.c255 tclass=fd This one looks like a leaked file descriptor. audit(1160492510.915:121): avc: denied { write } for pid=31428 comm="dmidecode" name="cf_apollo_cora_nwra_com_2006-10-10--09-00-01" dev=hda5 ino=261954 scontext=user_u:system_r:dmidecode_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file This one however looks like dmidecode is trying to write to a log file of some sort? You could try the demidecode | cat hack to see if this dissapears. Are you running demidecode directly in cron or do you have another application that runs it? cron runs cfagent, which then executes various tasks, one of which is: "/usr/sbin/dmidecode | grep -Fq Dell" Apparently, cfagent redirects output of commands to a file in /var/cfengine somewhere. What I can't understand is why a transition is happening at all? From the policy in FC5 it looks like dmidecode only transitions from hal. So I would have thought that it would continue to run in the crond or unconfined_t context. Also seeing this with some other commands run by cfagent: audit(1164556971.576:674): avc: denied { write } for pid=23342 comm="ifconfig" name="cf_lynx_cora_nwra_com_2006-11-26--09-00-01" dev=hda6 ino=116329 scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file This is with selinux-policy-2.4.5-4.fc5 All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy |