Bug 595283

Summary: SELinux is preventing /sbin/setfiles access to a leaked /dev/null file descriptor.
Product: [Fedora] Fedora Reporter: upgradeservices
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: anaconda-maint-list, dcantrell, dwalsh, jonathan, mgrepl, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5951803f1c4c5ddc6489ba30ce9588fe815cd84b1714f4f81bd714ba8f86cac7
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-24 21:16:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description upgradeservices 2010-05-24 09:36:59 UTC

SELinux is preventing /sbin/setfiles access to a leaked /dev/null file

Detailed Description:

[restorecon has a permissive type (setfiles_t). This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /dev/null. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ

Additional Information:

Source Context                unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:device_t:s0
Target Objects                /dev/null [ file ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-114.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                     #1 SMP Fri Apr 30
                              19:46:25 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 24 May 2010 11:24:42 AM EDT
Last Seen                     Mon 24 May 2010 11:25:17 AM EDT
Local ID                      f1fccdf6-007b-4173-8ce7-442635146757
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274714717.932:28544): avc:  denied  { write } for  pid=3447 comm="restorecon" path="/dev/null" dev=sda6 ino=174300 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274714717.932:28544): arch=c000003e syscall=59 success=yes exit=0 a0=ed2830 a1=eccd60 a2=ecd2c0 a3=7fffd2f82060 items=0 ppid=3433 pid=3447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  leaks,restorecon,setfiles_t,device_t,file,write
audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t device_t:file write;

Comment 1 upgradeservices 2010-05-24 09:37:27 UTC
was running pungi:
pungi --name=fx64 --ver=F12 --destdir=/somedir/p_dest --cachedir=/somedir/p_cache --nosource --nosplitmedia --force --config=/somedir/ks.cfg -G -C -B

Comment 2 Daniel Walsh 2010-05-24 15:49:17 UTC
THis looks like pungi and SELinux is not playing well together.

Comment 3 Daniel Walsh 2010-05-24 15:49:36 UTC
Does pungi create this device?

Comment 4 Jesse Keating 2010-05-24 20:34:54 UTC
Any device creation is done by buildinstall which is part of anaconda.

Comment 5 Chris Lumens 2010-05-24 21:16:49 UTC
I suggest you not use buildinstall under enforcing.  It's too special.