Bug 616358

Summary: SELinux is preventing /sbin/modprobe access to a leaked fifo_file file descriptor.
Product: Red Hat Enterprise Linux 6 Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: berrange, dwalsh, eblake, mgrepl, mmalik, syeghiay, xen-maint
Target Milestone: rcKeywords: RHELNAK, SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-33.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:35:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2010-07-20 09:10:27 UTC 
Souhrn:

SELinux is preventing /sbin/modprobe access to a leaked fifo_file file
descriptor.

Podrobný popis:

[modprobe je v toleratním režimu (insmod_t). Přístup byl povolen.]

SELinux denied access requested by the modprobe command. It looks like this is
either a leaked descriptor or modprobe output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the fifo_file. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Další informace:

Kontext zdroje                system_u:system_r:insmod_t:s0-s0:c0.c1023
Kontext cíle                 system_u:system_r:virtd_t:s0-s0:c0.c1023
Objekty cíle                 fifo_file [ fifo_file ]
Zdroj                         modprobe
Cesta zdroje                  /sbin/modprobe
Port                          <Neznámé>
Počítač                    johanka.ceplovi.cz
RPM balíčky zdroje          module-init-tools-3.9-15.el6
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.19-32.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     leaks
Název počítače            johanka.ceplovi.cz
Platforma                     Linux johanka.ceplovi.cz 2.6.32-44.1.el6.x86_64 #1
                              SMP Wed Jul 14 18:51:29 EDT 2010 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Po 19. červenec 2010, 18:31:35 CEST
Naposledy viděno             Po 19. červenec 2010, 18:31:35 CEST
Místní ID                   d554c034-1ed8-45e8-b292-4163ce8589bf
Čísla řádků              

Původní zprávy auditu      

node=johanka.ceplovi.cz type=AVC msg=audit(1279557095.616:12): avc:  denied  { write } for  pid=1986 comm="modprobe" path="pipe:[15870]" dev=pipefs ino=15870 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file

node=johanka.ceplovi.cz type=AVC msg=audit(1279557095.616:12): avc:  denied  { write } for  pid=1986 comm="modprobe" path="pipe:[15853]" dev=pipefs ino=15853 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file

node=johanka.ceplovi.cz type=SYSCALL msg=audit(1279557095.616:12): arch=c000003e syscall=59 success=yes exit=0 a0=ca1730 a1=7fff4b4f5e70 a2=7fff4b4f60c0 a3=7f42007129d0 items=0 ppid=1982 pid=1986 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null)
Comment 2 Matěj Cepl 2010-07-20 09:29:30 UTC 
Version of packages:
johanka:bugzilla-triage$ rpm -qa \*qemu\* \*virt\*
libvirt-devel-0.8.1-15.el6.x86_64
qemu-img-0.12.1.2-2.96.el6.x86_64
virt-viewer-0.2.1-2.el6.x86_64
virt-v2v-0.6.1-1.el6.x86_64
libvirt-client-0.8.1-15.el6.x86_64
libvirt-0.8.1-15.el6.x86_64
python-virtinst-0.500.3-5.el6.noarch
qemu-kvm-tools-0.12.1.2-2.96.el6.x86_64
libvirt-debuginfo-0.8.1-15.el6.x86_64
virt-manager-0.8.4-7.el6.noarch
libvirt-python-0.8.1-15.el6.x86_64
qemu-kvm-0.12.1.2-2.96.el6.x86_64
gpxe-roms-qemu-0.9.7-6.3.el6.noarch
Comment 3 RHEL Program Management 2010-07-20 09:37:50 UTC 
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 4 Miroslav Grepl 2010-07-20 11:25:30 UTC 
This looks like a leaked file descriptor.
Comment 5 Daniel Berrangé 2010-07-20 11:30:01 UTC 
What were you doing to trigger this problem ?
Comment 6 Daniel Walsh 2010-07-20 13:30:19 UTC 
No this is not a leak.  It is a redirection of stdout.


virtd_t @ lvm_exec_t -> lvm_t @ insmod_exec_t ->insmod_t

lvm_domtrans(virtd_t) allows lvm_t to {read write} virtd_t:fifo_files. Since this is stdin and stdout for lvm,  But when lvm executes insmod_t it also just passes along the stdout/stdin to insmod_t, which ends up with this avc since we are not allowing lvm_t to pass on the open file descriptors.

Miroslav you have to add this allow for insmod_t.

And SELinux policy writers have to find a better way of incoding this behaviour into policy.
Comment 7 Daniel Walsh 2010-07-20 13:32:11 UTC 
Rawhide now has

optional_policy(`
	virt_dontaudit_write_pipes(insmod_t)
')

########################################
## <summary>
##	Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`virt_dontaudit_write_pipes',`
	gen_require(`
		type virtd_t;
	')

	dontaudit $1 virtd_t:fifo_file write;
')
Comment 8 Miroslav Grepl 2010-07-21 15:15:06 UTC 
Fixed in selinux-policy-3.7.19-33.el6.noarch
Comment 11 releng-rhel@redhat.com 2010-11-10 21:35:21 UTC 
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.