Bug 521780

Summary: setroubleshoot: SELinux is preventing restorecon "read write" access to to a leaked file descriptor on socket
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, jkubin, mcepl, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d25c940efd8273194c2c48950eeafefa5f3315896a72281d3dd2a98244a9a139
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-09 21:25:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2009-09-08 09:55:51 UTC 
The following was filed automatically by setroubleshoot:

Souhrn:

SELinux is preventing restorecon "read write" access to to a leaked file
descriptor on socket

Podrobný popis:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the socket. You should generate a bugzilla on selinux-policy, and it
will get routed to the appropriate package. You can safely ignore this avc.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Další informace:

Kontext zdroje                system_u:system_r:setfiles_t:s0-s0:c0.c1023
Kontext cíle                 system_u:system_r:initrc_t:s0-s0:c0.c1023
Objekty cíle                 socket [ unix_dgram_socket ]
Zdroj                         restorecon
Cesta zdroje                  /sbin/setfiles
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          policycoreutils-2.0.71-15.fc12
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.30-4.fc12
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     leaks
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.31-0.204.rc9.fc12.x86_64 #1 SMP
                              Sat Sep 5 20:45:55 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Út 8. září 2009, 11:44:31 CEST
Naposledy viděno             Út 8. září 2009, 11:44:31 CEST
Místní ID                   8b4b5f9b-b43a-4099-af05-86a6856132be
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1252403071.267:747): avc:  denied  { read write } for  pid=28863 comm="restorecon" path="socket:[2270591]" dev=sockfs ino=2270591 scontext=system_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

node=(removed) type=SYSCALL msg=audit(1252403071.267:747): arch=c000003e syscall=59 success=yes exit=0 a0=1fd98f0 a1=1fd8a90 a2=1fd8930 a3=8 items=0 ppid=28862 pid=28863 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t initrc_t:unix_dgram_socket { read write };
Comment 1 Daniel Walsh 2009-09-08 14:38:12 UTC 
Any idea which app is execing restorecon? Could abrtd be doing this?
Comment 2 Matěj Cepl 2009-09-09 07:57:24 UTC 
No idea, probably a good candidate for INSUFFICIENT_DATA, I am afraid.