Bug 588716

Summary: SELinux is preventing /sbin/setfiles access to a leaked udp_socket file descriptor.
Product: [Fedora] Fedora Reporter: Oded Arbel <oded>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dct996, dwalsh, gdeschner, jlayton, mgrepl, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:1ce11e60ecd96ef9e0d6a0ba4b70afa21d973b5d3c596cba1d2e91209d38503f
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-25 20:21:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Oded Arbel 2010-05-04 11:20:54 UTC
Summary:

SELinux is preventing /sbin/setfiles access to a leaked udp_socket file
descriptor.

Detailed Description:

[restorecon has a permissive type (setfiles_t). This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the udp_socket. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                udp_socket [ udp_socket ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-13.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01
                              UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 04 May 2010 02:14:36 PM IDT
Last Seen                     Tue 04 May 2010 02:14:36 PM IDT
Local ID                      90382397-17a9-4f58-b4aa-c8110a7833ae
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1272971676.271:18930): avc:  denied  { read write } for  pid=3944 comm="restorecon" path="socket:[48438]" dev=sockfs ino=48438 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=udp_socket

node=(removed) type=AVC msg=audit(1272971676.271:18930): avc:  denied  { read write } for  pid=3944 comm="restorecon" path="socket:[48439]" dev=sockfs ino=48439 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=udp_socket

node=(removed) type=SYSCALL msg=audit(1272971676.271:18930): arch=c000003e syscall=59 success=yes exit=0 a0=10793a0 a1=1079300 a2=1075100 a3=8 items=0 ppid=3940 pid=3944 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=12 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,restorecon,setfiles_t,xdm_t,udp_socket,read,write
audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t xdm_t:udp_socket { read write };

Comment 1 Daniel Walsh 2010-05-04 18:00:23 UTC
This looks like cdm is leaking a udp_socket.

Are you using any special pam configuration?

What are you using for your login application?

Comment 2 Oded Arbel 2010-05-04 20:21:55 UTC
I'm using winbind for logging in (sometimes - I also have local users).

This specific problem occurred while trying to login to GNOME using KDM.

Comment 3 Daniel Walsh 2010-05-04 20:38:00 UTC
kdm is leaking a udp_socket.  Probably related to winbind.

Comment 4 Fedora Admin XMLRPC Client 2010-10-08 14:43:17 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 5 Simo Sorce 2011-04-04 16:43:42 UTC
nss_winbind/pam_winbindd never use udp sockets afaik, so it is highly unlikely it is a winbindd bug, reassigning back to selinux policy

Comment 6 Daniel Walsh 2011-04-04 19:17:35 UTC
Oded is this happening repeatedly?  Or just once?

Comment 7 Miroslav Grepl 2011-05-25 20:21:33 UTC
Please reopen if the problem still exists.