Bug 707279

Summary: SELinux is preventing /sbin/consoletype from 'write' accesses on the fifo_file fifo_file.
Product: [Fedora] Fedora Reporter: Andrey <michkin_a>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:c1a791a7b7ab18f46705ed32007c72ae94e6f806d581fd06997ebb9493665fcd
Fixed In Version: selinux-policy-3.9.7-42.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-12 05:17:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andrey 2011-05-24 15:08:58 UTC 
SELinux is preventing /sbin/consoletype from 'write' accesses on the fifo_file fifo_file.

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore consoletype trying to write access the fifo_file fifo_file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that consoletype should be allowed write access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:consoletype_t:s0-s0:c0.c1023
Target Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Objects                fifo_file [ fifo_file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           initscripts-9.20.2-1.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.13-91.fc14.x86_64 #1 SMP
                              Tue May 3 13:23:06 UTC 2011 x86_64 x86_64
Alert Count                   4
First Seen                    Втр 17 Май 2011 09:38:19
Last Seen                     Втр 17 Май 2011 09:39:29
Local ID                      de3712c1-cfe4-448d-8679-cf27d7a7f39d

Raw Audit Messages
type=AVC msg=audit(1305610769.186:226): avc:  denied  { write } for  pid=11515 comm="consoletype" path="pipe:[1209537]" dev=pipefs ino=1209537 scontext=system_u:system_r:consoletype_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=fifo_file


type=SYSCALL msg=audit(1305610769.186:226): arch=x86_64 syscall=execve success=yes exit=0 a0=25645f0 a1=2562590 a2=2560900 a3=0 items=0 ppid=11514 pid=11515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=consoletype exe=/sbin/consoletype subj=system_u:system_r:consoletype_t:s0-s0:c0.c1023 key=(null)

Hash: consoletype,consoletype_t,udev_t,fifo_file,write

audit2allow

#============= consoletype_t ==============
allow consoletype_t udev_t:fifo_file write;

audit2allow -R

#============= consoletype_t ==============
allow consoletype_t udev_t:fifo_file write;
Comment 1 Dominick Grift 2011-05-24 15:28:00 UTC 
Can you reproduce this issue? I don't see how this would be needed. udev runs consoletype in the udev_t domain.
Comment 2 Daniel Walsh 2011-05-24 16:04:39 UTC 
This is a transition problem.

udev_t transitioned to another domain, which transitioned to consoletype_t.

Likely culpret

sysnet_domtrans_dhcpc(udev_t)

So the fifo_file opened by udev is eventually handed to consoletype and SELinux blocks the access.

Probably should just turn on the domtrans and deal with the leaked file descriptors.
Comment 3 Dominick Grift 2011-05-24 18:59:04 UTC 
My attempt to fix this is in master branch:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=ae7b2255d6993dbd63d0a1342f05e6282c19551d
Comment 4 Miroslav Grepl 2011-05-27 10:53:25 UTC 
Fixed in selinux-policy-3.9.7-42.fc14
Comment 5 Fedora Update System 2011-05-27 15:46:37 UTC 
selinux-policy-3.9.7-42.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
Comment 6 Fedora Update System 2011-05-27 20:28:36 UTC 
Package selinux-policy-3.9.7-42.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-42.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-07-12 05:16:06 UTC 
selinux-policy-3.9.7-42.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.