Bug 540814

Summary: SELinux is preventing /sbin/consoletype access to a leaked /var/lib/rpm/__db.000 file descriptor.
Product: [Fedora] Fedora Reporter: Ajay Kalla <ajaykalla83>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-120.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-07 22:46:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ajay Kalla 2009-11-24 08:51:57 UTC 
Summary:

SELinux is preventing /sbin/consoletype access to a leaked /var/lib/rpm/__db.000
file descriptor.

Detailed Description:

[consoletype has a permissive type (consoletype_t). This access was not denied.]

SELinux denied access requested by the consoletype command. It looks like this
is either a leaked descriptor or consoletype output was redirected to a file it
is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /var/lib/rpm/__db.000. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:consoletype_t:s0
Target Context                unconfined_u:object_r:rpm_var_lib_t:s0
Target Objects                /var/lib/rpm/__db.000 [ file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           initscripts-9.02-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.30.9-96.fc11.i586 #1 SMP Tue Nov 3 23:33:04
                              EST 2009 i686 i686
Alert Count                   2
First Seen                    Tue 24 Nov 2009 12:46:17 PM IST
Last Seen                     Tue 24 Nov 2009 12:46:17 PM IST
Local ID                      c192fa43-4d48-448f-85c6-8ab7fa7aae24
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1259046977.807:17745): avc:  denied  { read write } for  pid=28791 comm="consoletype" path="/var/lib/rpm/__db.000" dev=sda9 ino=7300 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1259046977.807:17745): arch=40000003 syscall=11 success=yes exit=0 a0=9180f00 a1=9181430 a2=917cf10 a3=9181430 items=0 ppid=28790 pid=28791 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,leaks,consoletype,consoletype_t,rpm_var_lib_t,file,read,write
audit2allow suggests:

#============= consoletype_t ==============
allow consoletype_t rpm_var_lib_t:file { read write };
Comment 1 Daniel Walsh 2009-11-24 12:36:49 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-50.fc12.noarch
Comment 2 Fedora Update System 2009-12-01 16:51:31 UTC 
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
Comment 3 Fedora Update System 2009-12-03 04:58:33 UTC 
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
Comment 4 Fedora Update System 2009-12-03 20:29:40 UTC 
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
Comment 5 Fedora Update System 2009-12-04 23:48:01 UTC 
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
Comment 6 Fedora Update System 2009-12-08 07:54:40 UTC 
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-08-05 13:20:22 UTC 
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
Comment 8 Fedora Update System 2010-08-20 01:40:37 UTC 
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.