Bug 616358
Summary: | SELinux is preventing /sbin/modprobe access to a leaked fifo_file file descriptor. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Matěj Cepl <mcepl> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 6.1 | CC: | berrange, dwalsh, eblake, mgrepl, mmalik, syeghiay, xen-maint |
Target Milestone: | rc | Keywords: | RHELNAK, SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-33.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-10 21:35:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2010-07-20 09:10:27 UTC
Version of packages: johanka:bugzilla-triage$ rpm -qa \*qemu\* \*virt\* libvirt-devel-0.8.1-15.el6.x86_64 qemu-img-0.12.1.2-2.96.el6.x86_64 virt-viewer-0.2.1-2.el6.x86_64 virt-v2v-0.6.1-1.el6.x86_64 libvirt-client-0.8.1-15.el6.x86_64 libvirt-0.8.1-15.el6.x86_64 python-virtinst-0.500.3-5.el6.noarch qemu-kvm-tools-0.12.1.2-2.96.el6.x86_64 libvirt-debuginfo-0.8.1-15.el6.x86_64 virt-manager-0.8.4-7.el6.noarch libvirt-python-0.8.1-15.el6.x86_64 qemu-kvm-0.12.1.2-2.96.el6.x86_64 gpxe-roms-qemu-0.9.7-6.3.el6.noarch This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** This looks like a leaked file descriptor. What were you doing to trigger this problem ? No this is not a leak. It is a redirection of stdout. virtd_t @ lvm_exec_t -> lvm_t @ insmod_exec_t ->insmod_t lvm_domtrans(virtd_t) allows lvm_t to {read write} virtd_t:fifo_files. Since this is stdin and stdout for lvm, But when lvm executes insmod_t it also just passes along the stdout/stdin to insmod_t, which ends up with this avc since we are not allowing lvm_t to pass on the open file descriptors. Miroslav you have to add this allow for insmod_t. And SELinux policy writers have to find a better way of incoding this behaviour into policy. Rawhide now has optional_policy(` virt_dontaudit_write_pipes(insmod_t) ') ######################################## ## <summary> ## Do not audit attempts to write virt daemon unnamed pipes. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`virt_dontaudit_write_pipes',` gen_require(` type virtd_t; ') dontaudit $1 virtd_t:fifo_file write; ') Fixed in selinux-policy-3.7.19-33.el6.noarch Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |