Bug 543872
Summary: | SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rob Whalley <mail> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:f391c3a93af2d42648563737a02d95278131c66badd4609c9132dd2c0443b8f6 | ||
Fixed In Version: | 3.6.32-56.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-12-16 01:06:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rob Whalley
2009-12-03 11:53:32 UTC
What tool were you running when you got these AVCs? *** Bug 543873 has been marked as a duplicate of this bug. *** This occurred when running version 1.1.33 of Wine, compiled from source with some extra patches (can provide further information on how it was built if required). AVC messages were encountered when running the Steam games platform. This message was received when starting the Steam application itself: SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor. Message also received when starting game entitled "Mass Effect". Have not checked with other games at this point. Wine patch for PulseAudio (see: http://art.ified.ca/?page_id=40), also has a patch to fix a mouse issue in Mass Effect (http://bugs.winehq.org/attachment.cgi?id=21554) and a patch to fix Left4dead2 demo (http://bugs.winehq.org/attachment.cgi?id=24845). What additional information is required? Something strange seems to be happening on your system sesearch -A -t winbind_helper_t -p transition Found 3 semantic av rules: allow sysadm_t winbind_helper_t : process { transition signal } ; allow squid_t winbind_helper_t : process { transition signal } ; allow httpd_t winbind_helper_t : process { transition signal } ; This means that only squid and httpd are able to transition to winbind_helper_t. If you execute id -Z, what does it say? rpm -q selinux-policy-targeted "id -Z" brings back: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 "rpm -q selinux-policy-targeted" brings back: selinux-policy-targeted-3.6.32-52.fc12.noarch This is the RPM from updates-testing which I installed by doing "yum update selinux-policy-targeted --enablerepo=updates-testing". "sesearch -A -t winbind_helper_t -p transition" brings back: Found 4 semantic av rules: allow squid_t winbind_helper_t : process { transition signal } ; allow sysadm_t winbind_helper_t : process { transition signal } ; allow unconfined_t winbind_helper_t : process { transition signal } ; allow httpd_t winbind_helper_t : process { transition signal } ; The only change to SE Linux I have tried is: "setsebool -P mmap_low_allowed 1" - normally I would just disable SE Linux but am trying it in permissive mode to see how I get on with it. These are leaked file descriptors from the application that ended up execing ntlm_auth. I will remove the transition for now from unconfined_t to winbind_t, which should stop showing these AVC messages. You can safely ignore these messages. Fixed in selinux-policy-3.6.32-56.fc12.noarch selinux-policy-3.6.32-56.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-56.fc12 selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12990 Works perfectly - many thanks for taking the time to put this fix in place selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |