Bug 541107

Summary: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor.
Product: [Fedora] Fedora Reporter: astoldbymari
Component: pppAssignee: Jiri Skala <jskala>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: aglotov, alelima.xandao, astoldbymari, chenhuan.gt, clanger.christian, dwalsh, jskala, jusko, koshaduk, mgrepl, nkrntlnhtn, pal666, r_brakchi, rmknnvc, soma-sk8, thieme.reis
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:6a8f2cc0eeb95bfffcfcf9f42500d0e561c3af85c3a0e350b0fdce0241b86045
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-03 22:47:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fd's leak patch none

Description astoldbymari 2009-11-24 23:57:43 UTC 
Sumário:

SELinux is preventing /sbin/consoletype access to a leaked packet_socket file
descriptor.

Descrição detalhada:

[consoletype tem um tipo permissivo (consoletype_t). Esse acesso não foi
negado.]

SELinux denied access requested by the consoletype command. It looks like this
is either a leaked descriptor or consoletype output was redirected to a file it
is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the packet_socket. You should generate a bugzilla on selinux-policy,
and it will get routed to the appropriate package. You can safely ignore this
avc.

Permitindo acesso:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Informações adicionais:

Contexto de origem            system_u:system_r:consoletype_t:s0
Contexto de destino           system_u:system_r:pppd_t:s0
Objetos de destino            packet_socket [ packet_socket ]
Origem                        consoletype
Caminho da origem             /sbin/consoletype
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         initscripts-9.02-1
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-46.fc12
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                leaks
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP
                              Sat Nov 7 21:41:45 EST 2009 i686 i686
Contador de alertas           6
Visto pela primeira vez em    Ter 24 Nov 2009 18:31:03 BRST
Visto pela última vez em     Ter 24 Nov 2009 19:42:03 BRST
ID local                      994a62d2-8e49-46d7-afc0-c44ec2b7315c
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1259098923.229:20025): avc:  denied  { read write } for  pid=2458 comm="consoletype" path="socket:[34335]" dev=sockfs ino=34335 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket

node=(removed) type=SYSCALL msg=audit(1259098923.229:20025): arch=40000003 syscall=11 success=yes exit=0 a0=9430400 a1=9430460 a2=9428f10 a3=9430460 items=0 ppid=2457 pid=2458 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-46.fc12,leaks,consoletype,consoletype_t,pppd_t,packet_socket,read,write
audit2allow suggests:

#============= consoletype_t ==============
allow consoletype_t pppd_t:packet_socket { read write };
Comment 1 Jiri Skala 2009-11-30 09:09:32 UTC 
The bug is probably duplicated to #531374. I've not reproduced described issue therefore I hope somebody on CC list will be willing to test this scratch build

http://koji.fedoraproject.org/koji/taskinfo?taskID=1796872

and will send me a message about result.

Thanks in advance

Jiri
Comment 2 Daniel Walsh 2009-12-01 20:23:19 UTC 
*** Bug 541560 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2009-12-01 20:23:47 UTC 
*** Bug 542588 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2009-12-01 20:24:11 UTC 
*** Bug 543013 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2009-12-01 20:24:35 UTC 
*** Bug 543045 has been marked as a duplicate of this bug. ***
Comment 6 Serge Pavlovsky 2009-12-01 20:45:21 UTC 
im willing to test, but i cant get rpm out of that link
Comment 7 Daniel Walsh 2009-12-01 21:04:32 UTC 
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
Comment 8 Serge Pavlovsky 2009-12-01 22:49:58 UTC 
Dec  2 00:44:23 underdark adsl-stop: Killing pppd
Dec  2 00:44:23 underdark pppd[23695]: Terminating on signal 15
Dec  2 00:44:23 underdark pppd[23695]: Connect time 411.4 minutes.
Dec  2 00:44:23 underdark pppd[23695]: Sent 1749502931 bytes, received 1880900092 bytes.
Dec  2 00:44:23 underdark adsl-stop: Killing pppoe-connect
Dec  2 00:44:24 underdark NET[7256]: /etc/sysconfig/network-scripts/ifdown-post : updated /etc/resolv.conf
Dec  2 00:44:24 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755
Dec  2 00:44:25 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755
Dec  2 00:44:25 underdark ntpd[1973]: Deleting interface #14 ppp0, 85.238.107.53#123, interface stats: received=78, sent=78, dropped=0, active_time=24680 secs
Dec  2 00:44:25 underdark setroubleshoot: SELinux is preventing /sbin/setfiles access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 3bb2524c-6188-49d6-8d78-7da692d7361f
Dec  2 00:44:25 underdark setroubleshoot: SELinux is preventing /sbin/ip access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 97cee9c2-c812-4d2c-8e13-11ed4d21b4b4
Dec  2 00:45:13 underdark dnsmasq[2136]: reading /etc/resolv.conf
Dec  2 00:45:13 underdark dnsmasq[2136]: using nameserver 195.138.80.33#53
Dec  2 00:45:14 underdark pppd[7392]: Plugin rp-pppoe.so loaded.
Dec  2 00:45:14 underdark pppd[7392]: RP-PPPoE plugin version 3.3 compiled against pppd 2.4.4
Dec  2 00:45:14 underdark pppd[7392]: pppd 2.4.4 started by root, uid 0
Dec  2 00:45:14 underdark pppd[7392]: PPP session is 213
Dec  2 00:45:14 underdark pppd[7392]: Using interface ppp0
Dec  2 00:45:14 underdark pppd[7392]: Connect: ppp0 <--> eth1
Dec  2 00:45:14 underdark pppd[7392]: CHAP authentication succeeded
Dec  2 00:45:14 underdark pppd[7392]: CHAP authentication succeeded
Dec  2 00:45:14 underdark pppd[7392]: peer from calling number 00:E0:81:34:BC:62 authorized
Dec  2 00:45:14 underdark pppd[7392]: local  IP address 85.238.107.53
Dec  2 00:45:14 underdark pppd[7392]: remote IP address 195.138.80.168
Dec  2 00:45:14 underdark pppd[7392]: primary   DNS address 195.138.80.56
Dec  2 00:45:14 underdark pppd[7392]: secondary DNS address 195.138.80.33
Dec  2 00:45:14 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755
Dec  2 00:45:14 underdark NET[7429]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf
Dec  2 00:45:14 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755
Dec  2 00:45:14 underdark setroubleshoot: SELinux is preventing /sbin/ifconfig access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 97cee9c2-c812-4d2c-8e13-11ed4d21b4b4
Dec  2 00:45:15 underdark setroubleshoot: SELinux is preventing /sbin/setfiles access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 3bb2524c-6188-49d6-8d78-7da692d7361f
Dec  2 00:45:15 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755
Dec  2 00:45:16 underdark ntpd[1973]: Listening on interface #16 ppp0, 85.238.107.53#123 Enabled
Comment 9 Jiri Skala 2009-12-03 06:56:50 UTC 
*** Bug 543362 has been marked as a duplicate of this bug. ***
Comment 10 Jiri Skala 2009-12-03 06:58:25 UTC 
*** Bug 531374 has been marked as a duplicate of this bug. ***
Comment 11 Jiri Skala 2009-12-17 16:03:01 UTC 
(In reply to comment #8)
> Dec  2 00:44:23 underdark adsl-stop: Killing pppd
> Dec  2 00:44:23 underdark pppd[23695]: Terminating on signal 15
> ....
> /sbin/consoletype access to a leaked packet_socket file descriptor. For
> complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755
> Dec  2 00:45:16 underdark ntpd[1973]: Listening on interface #16 ppp0,
> 85.238.107.53#123 Enabled  

Thank you Serge for your test!

Daniel,
1. what do you think about the test with patched ppp (using O_CLOEXEC flag)?
2. I didn't understand your comment #7. Does it mean you have fixed it in selinux-policy?
3. If not, any idea how to detect it? I'm not able to detect it in ppp cos my connection works fine.

Jiri
Comment 12 Daniel Walsh 2009-12-17 16:35:54 UTC 
I have removed the transition to consoletype_t which was revealing this and many other leaks.  

Well their connections would work fine also.   SELinux was just closing the leak.  Wherever the packet_socket was being created or handed back to ppp, you should execute the fcntl(socket, F_SETFD, FD_CLOEXEC)

Call
Comment 13 Jiri Skala 2009-12-22 16:14:49 UTC 
(In reply to comment #12)
> I have removed the transition to consoletype_t which was revealing this and
> many other leaks.  
> 
> Well their connections would work fine also.   SELinux was just closing the
> leak.  Wherever the packet_socket was being created or handed back to ppp, you
> should execute the fcntl(socket, F_SETFD, FD_CLOEXEC)
> 
> Call  

yes, i've used FD_CLOEXEC in fcntl and also in open functions but as you can see in comment #8 no progress.
Comment 14 Daniel Walsh 2009-12-22 17:18:21 UTC 
What about in socket() and accept. You need to close leaks on socket also.
Comment 15 Jiri Skala 2010-01-02 19:57:52 UTC 
Created attachment 381310 [details]
fd's leak patch

Daniel, of course I applied it on file and sockets. I'm sorry I didn't attach my patch immediately. Well, you can review it now.
I've overloaded all file opening as well as socket connection creating. But I think file fd's are handled in pppd/main.c - safe_fork() and in other functions closing files due to forking. I see the patch as a something more ...
Try to review this. Thanks.

Jiri
Comment 16 Daniel Walsh 2010-01-04 15:16:40 UTC 
Looks ok, although some of these are built into glibc.

man fopen
...
NOTES
   Glibc Notes
...

       e (since glibc 2.7)
              Open  the  file  with  the O_CLOEXEC flag.  See open(2) for more
              information.