Bug 498789
Summary: | AVC denial when starting a DSL connection (F11 Rawhide) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Viktor Erdelyi <verdelyi> |
Component: | ppp | Assignee: | Jiri Skala <jskala> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 11 | CC: | aglotov, avi_raj200506, davej, dwalsh, jskala, juergenw_, m.e, mgrepl, sumanth_yn |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-01-06 07:34:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Viktor Erdelyi
2009-05-03 11:27:18 UTC
Looks like ppp is leaking a file descritptor to the packet_socket. You can ignore this, since nothing is actually being broken. ppp should call fcntl(fd, F_SETFD, FD_CLOEXEC) On all open fds and sockets before execing any other process. I am getting the same AVC denial anytime I do a DSL dialup (selinux-policy-3.6.12-28.fc11). Your explanation is crap. If I am supposed to ignore this, why doesn't SELinux. This is a leaked file descriptor in the ppp. SELinux is protecting you by closing the file descriptor And allowing your ppp to run. By telling you that you could ignore it, meant that it is not a sign of a break in, but a bug in ppp. If you want SELInux to ingore the error, you can write custom policy. # grep consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp You can also use the setroubleshoot app and tell it to ignore the error until ppp fixes their bug. This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping It must be the world's most incomprehensible error message, despite strong competition. Is this English? Also, what does it mean, 'write a custom policy'? Is this documented anywhere? Why not say so? Could you provide step-by-step instructions (in the SELinux messages)? I am getting the message every day too. # grep consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Those are the steps. These two commands will generate local customization/policy to allow the rules SELinux is complaining about. http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ Is the users guide. The tool is trying to figure out what the error message means. And it can not. What is actually happening is ppp has a bug that is leaking a file descriptor and selinux is reporting the fact. I have given you two ways to quiet the selinux complaint, either tell selinux to allow the access or tell setroubleshoot to ignore the error. Hopefully ppp developers will fix their code to not leak the descriptor. Hi, I can't reproduce AVC denial. I tried to make changes mentioned by Daniel. Could you test it if there is some progress? The scratch build is available in koji: http://koji.fedoraproject.org/koji/taskinfo?taskID=1796872 Thanks, regards Jiri added patch that sets close-on-exec for file and sockets. More info: https://bugzilla.redhat.com/show_bug.cgi?id=541107#c15 *** Bug 507103 has been marked as a duplicate of this bug. *** *** Bug 554626 has been marked as a duplicate of this bug. *** |