Bug 628275

Summary: SELinux is preventing /sbin/setfiles access to a leaked netlink_route_socket file descriptor.
Product: [Fedora] Fedora Reporter: Bob Bitton <bobbitton>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: al-gallegos, bobbitton, brucelm, dcpub, dennismattinglyzzark, don-redhat-z6y, dwalsh, frank.thrum, geslinux, greg.rancic, gwduker, hobbes1069, jim.cromie, jpgorrono, k.weiz, mgrepl, rnichols42, robatino, robert.l.kief, samuelnemalladinne, sannegha, szoke.karcsi, tsozik
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:086acc2321e3bfb055fce67e892dac1be81865cb3093ca773d79db621929fd59
Fixed In Version: selinux-policy-3.6.32-123.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-14 06:33:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sealert report none

Description Bob Bitton 2010-08-29 04:41:16 UTC 
Summary:

SELinux is preventing /sbin/setfiles access to a leaked netlink_route_socket
file descriptor.

Detailed Description:

[restorecon has a permissive type (setfiles_t). This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the netlink_route_socket. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                netlink_route_socket [ netlink_route_socket ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-121.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.19-163.fc12.i686 #1 SMP
                              Wed Aug 18 11:39:59 UTC 2010 i686 athlon
Alert Count                   2
First Seen                    Sat 28 Aug 2010 10:40:32 PM MDT
Last Seen                     Sat 28 Aug 2010 10:40:32 PM MDT
Local ID                      faa26c80-3334-4f30-901c-b0009fdeb439
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1283056832.483:29744): avc:  denied  { read write } for  pid=17037 comm="restorecon" path="socket:[264344]" dev=sockfs ino=264344 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket

node=(removed) type=SYSCALL msg=audit(1283056832.483:29744): arch=40000003 syscall=11 success=yes exit=0 a0=9573f80 a1=9574010 a2=9572bc8 a3=9574010 items=0 ppid=17036 pid=17037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,restorecon,setfiles_t,unconfined_t,netlink_route_socket,read,write
audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t unconfined_t:netlink_route_socket { read write };
Comment 1 Daniel Walsh 2010-08-30 13:33:56 UTC 
Miroslav add

	ifdef(`hide_broken_symptoms', `
		dontaudit setfiles_t $1:socket_class_set { read write };
	')

To
seutil_domtrans_setfiles

In F12/F13.

Bob, do you have any idea what you were running when this happened?  We you updating software?
Comment 2 Bob Bitton 2010-08-30 14:23:13 UTC 
I just exited out of system-config-network
Comment 3 Robert Nichols 2010-08-31 13:16:14 UTC 
In my case the system was just waking up from a suspend, and for some reason came up with networking disabled.  I had to restart NetworkManager to get networking back on, but the AVC occurred prior to my doing that.  That's not a reproducible scenario.  Normally that laptop wakes up from suspend just fine, with no AVCs.

kernel-2.6.32.19-163.fc12.i686
NetworkManager-0.8.1-3.git20100813.fc12.i686
selinux-policy-3.6.32-121.fc12.noarch
selinux-policy-targeted-3.6.32-121.fc12.noarch
Comment 4 Daniel Walsh 2010-08-31 14:02:20 UTC 
Robert are you sure you have the same symptoms.  unconfined_t should not be involved in an suspend/resume.
Comment 5 Robert Nichols 2010-08-31 18:31:59 UTC 
Created attachment 442248 [details]
sealert report

All I know is that sealert linked to this bug when I clicked on "Report."  Here's an attachment with the full report.
Comment 6 Daniel Walsh 2010-09-01 13:00:52 UTC 
Can you get it to happen again?
Comment 7 Robert Nichols 2010-09-01 22:48:43 UTC 
Yes, I've found a way to get that AVC to happen very easily.  It is only indirectly related to the NetworkManager problem.  If, from the System->Administration menu, I click on "Network" and supply the root password to bring up system-config-network, then I get that AVC twice.  I do not see any AVCs if I invoke system-config-network from a terminal running a root shell.  This is on a system where all interfaces are being controlled by NetworkManager, so system-config-network has nothing it can control anyway.

Hope that helps.
Comment 8 Daniel Walsh 2010-09-02 15:45:33 UTC 
THis means that something in the login procedure is leaking a link to netlink_route_socket.  Perhaps xdm?
Comment 9 Andre Robatino 2010-09-04 05:27:01 UTC 
I see this in F12 x86_64 when running system-config-network and selecting File/Save (to test the fix for bug 589593). Don't believe I saw it in F13 or higher when doing the same thing. Was sent here automatically when sending the sealert report.
Comment 10 Frank Thrum 2010-09-13 06:42:37 UTC 
I got the trouble after running my laptop on low/critical power.
After power plugin and restart the computer (acer extensa 5620, Fedora 12) the networking (wlan) didnt came up.
Within the network manager the button/action "enable networking" couldnt be activated properly, and the console command
"/etc/init.d/network restart/(or start)" failed for the wlan interface.
I remember that I had the troublle many time befor.
Additional commment:
during the go down due to low power I watched a flash video within mozilla firefox 3.5.12.
Comment 11 Miroslav Grepl 2010-10-01 06:02:26 UTC 
Fixed in selinux-policy-3.6.32-123.fc12
Comment 12 Fedora Update System 2010-10-01 08:48:28 UTC 
selinux-policy-3.6.32-123.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-123.fc12
Comment 13 Fedora Update System 2010-10-05 09:32:59 UTC 
selinux-policy-3.6.32-123.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-123.fc12
Comment 14 Fedora Update System 2010-10-14 06:33:08 UTC 
selinux-policy-3.6.32-123.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.