Bug 732937

Summary: SELinux is preventing /sbin/ldconfig from 'append' accesses on the chr_file /dev/tty3.
Product: [Fedora] Fedora Reporter: Michal Nowak <mnowak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: anaconda-maint-list, awilliam, dominick.grift, dwalsh, icj, jonathan, kparal, mgrepl, mikhail.v.gavrilov, ohudlick, shnurapet, vanmeeuwen+fedora
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:c8b638e061c2b1576641bcb7cb98ead15cc112e148745dd56ffd1a11e469976a
Fixed In Version: selinux-policy-3.10.0-38.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-09 19:35:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Nowak 2011-08-24 08:12:58 UTC 
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.0.0-1.fc16.x86_64
reason:         SELinux is preventing /sbin/ldconfig from 'append' accesses on the chr_file /dev/tty3.
time:           Wed Aug 24 10:12:42 2011

description:
:SELinux is preventing /sbin/ldconfig from 'append' accesses on the chr_file /dev/tty3.
:
:*****  Plugin leaks (50.5 confidence) suggests  ******************************
:
:If you want to ignore ldconfig trying to append access the tty3 chr_file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /sbin/ldconfig /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (50.5 confidence) suggests  ***************************
:
:If you believe that ldconfig should be allowed append access on the tty3 chr_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep ldconfig /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c102
:                              3
:Target Context                system_u:object_r:tty_device_t:s0
:Target Objects                /dev/tty3 [ chr_file ]
:Source                        ldconfig
:Source Path                   /sbin/ldconfig
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           glibc-2.14.90-4
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-15.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux nilgiri 3.0.0-1.fc16.x86_64 #1 SMP Fri Jul
:                              22 16:09:29 UTC 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    Wed 24 Aug 2011 10:11:44 AM CEST
:Last Seen                     Wed 24 Aug 2011 10:11:44 AM CEST
:Local ID                      c211495f-45f6-405c-bc3b-78c827325d11
:
:Raw Audit Messages
:type=AVC msg=audit(1314173504.293:69): avc:  denied  { append } for  pid=15478 comm="ldconfig" path="/dev/tty3" dev=devtmpfs ino=4063 scontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
:
:
:type=AVC msg=audit(1314173504.293:69): avc:  denied  { read write } for  pid=15478 comm="ldconfig" path="/dev/mapper/control" dev=devtmpfs ino=5557 scontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
:
:
:type=SYSCALL msg=audit(1314173504.293:69): arch=x86_64 syscall=execve success=yes exit=0 a0=265b020 a1=266c300 a2=2696a80 a3=7fffc5558830 items=0 ppid=2199 pid=15478 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=ldconfig exe=/sbin/ldconfig subj=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 key=(null)
:
:Hash: ldconfig,ldconfig_t,tty_device_t,chr_file,append
:
:audit2allow
:
:#============= ldconfig_t ==============
:allow ldconfig_t lvm_control_t:chr_file { read write };
:allow ldconfig_t tty_device_t:chr_file append;
:
:audit2allow -R
:
:#============= ldconfig_t ==============
:allow ldconfig_t lvm_control_t:chr_file { read write };
:allow ldconfig_t tty_device_t:chr_file append;
:
Comment 1 Daniel Walsh 2011-08-26 21:30:37 UTC 
What app were you running when this happened these are clearly leaks.

lvm?
Comment 2 Michal Nowak 2011-08-29 09:16:31 UTC 
(In reply to comment #1)
> What app were you running when this happened these are clearly leaks.

No idea...

> lvm?

Not intentionally.


I was just exploring F16's GNOME Shell experience.
Comment 3 Daniel Walsh 2011-08-29 16:08:03 UTC 
Ok well unless you can get it to happen again and figure out which app causes it, there is not much we can do.

I would figure it was some kind of control app.
Comment 4 Adam Williamson 2011-09-23 22:45:46 UTC 
I hit this during a live install of F16 (using a personal build with various pre-Beta RC2 builds in it).

I'll re-open if it turns out to consistently happen during Beta rC2 live installs.
Comment 5 Kamil Páral 2011-09-27 11:33:33 UTC 
I hit this when doing a default install of Fedora 16 Beta RC3 x86_64 Live. The notification popped up at the end of the installation (around bootloader installation).
Comment 6 Daniel Walsh 2011-09-27 13:16:11 UTC 
It very well could be leaks from the installation program.
Comment 7 Kamil Páral 2011-09-27 14:29:54 UTC 
I've seen in again, when installing on bare metal from Live image. It seems like easily reproducible. What should I do to help debug this?
Comment 8 Daniel Walsh 2011-09-29 14:30:32 UTC 
It is probably something anaconda is leaking, although the append to tty_device_t might be intentional.
Comment 9 Daniel Walsh 2011-09-29 14:33:03 UTC 
I added a couple of dontaudit rules to stop ldconfig_t from complaining, although these will not cause anything to break.

Should be in selinux-policy-3.10.0-35.fc16
Comment 10 Chris Lumens 2011-09-30 20:58:30 UTC 
This could be anaconda's logging code:

pyanaconda/isys/log.c:    main_log_tty = fopen("/dev/tty3", "a");

I'm afraid I don't know enough about the problem space here to know what's wrong or how to fix it.  Got any pointers?
Comment 11 Daniel Walsh 2011-10-03 14:54:29 UTC 
Chris you are not doing anything wrong, I think we should just dontaudit these access.

The lvm_control is the one I would like to see fixed.  Outputting to a tty is expected.
Comment 12 Fedora Update System 2011-10-04 11:16:41 UTC 
selinux-policy-3.10.0-36.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
Comment 13 Fedora Update System 2011-10-04 20:49:19 UTC 
Package selinux-policy-3.10.0-36.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-36.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2011-10-09 19:35:47 UTC 
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.