Bug 477508
| Summary: | konsole leaks file descriptors: AVC denials when starting network | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gilboa Davara <gilboad> |
| Component: | kdebase | Assignee: | Than Ngo <than> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 10 | CC: | dwalsh, gabriello.ramirez, jreznik, kevin, lorenzo, ltinkl, nol888, rdieter, than, tuxbrewr |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-02-06 14:51:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gilboa Davara
2008-12-21 10:28:28 UTC
Leaked file descriptors in konsole. All file descriptors should be closed on exec. Not sure it's konsole. I managed to reproduce this bug by using xterm. $ /etc/init.d/network restart ... $ tail /var/log/messages | grep ip Dec 23 14:38:53 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l fee14800-3fee-4381-9541-68be04e7c68e ... Dec 23 14:38:55 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l fee14800-3fee-4381-9541-68be04e7c68e $ sealert -l fee14800-3fee-4381-9541-68be04e7c68e Summary: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by ip. It is not expected that this access is required by ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host gilboa-work-lap Source RPM Packages iproute-2.6.27-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-30.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gilboa-work-lap Platform Linux gilboa-work-lap 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64 Alert Count 150 First Seen Tue Dec 23 14:38:01 2008 Last Seen Tue Dec 23 14:38:50 2008 Local ID fee14800-3fee-4381-9541-68be04e7c68e Line Numbers Raw Audit Messages node=gilboa-work-lap type=AVC msg=audit(1230035930.927:1601): avc: denied { read write } for pid=11921 comm="ip" path="socket:[19177]" dev=sockfs ino=19177 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=gilboa-work-lap type=AVC msg=audit(1230035930.927:1601): avc: denied { read write } for pid=11921 comm="ip" path="socket:[77432]" dev=sockfs ino=77432 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=gilboa-work-lap type=SYSCALL msg=audit(1230035930.927:1601): arch=c000003e syscall=59 success=yes exit=0 a0=1586c10 a1=1533af0 a2=15874d0 a3=8 items=0 ppid=11910 pid=11921 auid=800 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) P.S. I'm getting the same error on brctl, dhclient and arp - they all complained about "SELinux is preventing XXX (xxx_t) "read write" unconfined_t. (My network configuration uses private/public Ethernet bridge - one of them w/ DHCP) - Gilboa CC'ing dwalsh again, see comment #2 about this being reproducible with xterm too. Yes they are being leaked at a higher level in the kdebase. At the konsole or xterm do a ls -l /proc/self/fd There should only be 0,1,2 fds open. If you think about it why would scripts/exes like dhclient or ifconfig be trying to access unix_stream_sockets owned by logged in users. The only reason would be if there was a leaked file descriptor. xterm: $ ls -l /proc/self/fd total 0 lrwx------ 1 gilboa users 64 2008-12-23 18:54 0 -> /dev/pts/2 lrwx------ 1 gilboa users 64 2008-12-23 18:54 1 -> /dev/pts/2 lrwx------ 1 gilboa users 64 2008-12-23 18:54 13 -> socket:[77432] lrwx------ 1 gilboa users 64 2008-12-23 18:54 2 -> /dev/pts/2 lr-x------ 1 gilboa users 64 2008-12-23 18:54 3 -> /proc/16742/fd lrwx------ 1 gilboa users 64 2008-12-23 18:54 9 -> socket:[19177] konsole: $ ls -l /proc/self/fd total 0 lrwx------ 1 gilboa users 64 2008-12-23 18:54 0 -> /dev/pts/1 lrwx------ 1 gilboa users 64 2008-12-23 18:54 1 -> /dev/pts/1 lrwx------ 1 gilboa users 64 2008-12-23 18:54 13 -> socket:[19347] lrwx------ 1 gilboa users 64 2008-12-23 18:54 15 -> /tmp/kde-gilboa/konsoleX16664.tmp lrwx------ 1 gilboa users 64 2008-12-23 18:54 16 -> /tmp/kde-gilboa/konsoleh16664.tmp lrwx------ 1 gilboa users 64 2008-12-23 18:54 17 -> /tmp/kde-gilboa/konsoleL16664.tmp lrwx------ 1 gilboa users 64 2008-12-23 18:54 2 -> /dev/pts/1 lr-x------ 1 gilboa users 64 2008-12-23 18:54 3 -> /proc/16744/fd lrwx------ 1 gilboa users 64 2008-12-23 18:54 4 -> socket:[19100] lrwx------ 1 gilboa users 64 2008-12-23 18:54 9 -> socket:[19177] P.S. Both terminals are freshly open (using Alt-F2) and started from a fresh GDM to KDE login. - Gilboa Open descriptors 0,1,2 using the terminal are legitimate. 3 reading /proc/*/fd is also ok since this is what the ls command is doing. But the others are leaks. When you start a confined application, SELinux looks at the open file descriptors passed to the application and closes the ones the app is not allowed to have access to. And prints the avc messages you see on your system. kdebase should close all open descriptors on exec, using the fcntl(fd, F_SETFD, FD_CLOEXEC) function. OK. I understand. I'll try and investigate what are the sockets passed by kdebase (krunner?) to both xterm and konsole and to whom they originaly belonged (kdeinit?), as I cannot reproduce this on another machine. - Gilboa It indeed looks like a KDE only issue. The offending sockets are shared by all KDE processes. No idea who's the parent, though. Never the less, what comes next? Report the bug against kdebase? - Gilboa This bug is owned by kdebase. *** Bug 477892 has been marked as a duplicate of this bug. *** *** Bug 470170 has been marked as a duplicate of this bug. *** Thank you for the bug report. This issue needs to be addressed by the upstream developers. Please submit a report at http://bugs.kde.org. You are requested to add the bugzilla link here for tracking purposes. Please make sure the bug isn't already in the upstream bug tracker before filing it. *** This bug has been marked as a duplicate of bug 484370 *** |