Bug 866620
| Summary: | SELinux is preventing /usr/sbin/setfiles from 'read' accesses on the chr_file /dev/urandom. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Luke Macken <lmacken> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 18 | CC: | dominick.grift, dwalsh, jan.teichmann, mgrepl, pfrields, sandro, w_pirker | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:0fc83ee11f48934f88dad03d3b42b32acea36c4288d4ea955dc5ec3c9eee3dfe | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-12-20 15:16:47 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 627603 [details]
File: type
Created attachment 627604 [details]
File: hashmarkername
This is a leaked file descriptor. Some app that launches restorecon has a open file descriptor to /dev/urandom. Booted Beta TC6 KDE LiveCD from USB stick and performed an installation. Don't know when exactly the alert showed up, unfortunately. Package: (null) OS Release: Fedora release 18 (Spherical Cow) Added dontaudit Fixed in selinux-policy-3.11.1-47.fc18.noarch selinux-policy-3.11.1-50.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-50.fc18 Package selinux-policy-3.11.1-50.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-50.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17705/selinux-policy-3.11.1-50.fc18 then log in and leave karma (feedback). happend when the installation from the F18 beta LiveCD finished Package: (null) OS Release: Fedora release 18 (Spherical Cow) selinux-policy-3.11.1-50.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Triggered during a Fedora 18 Beta TC4 live installation Additional info: libreport version: 2.0.14 kernel: 3.6.1-1.fc18.x86_64 description: :SELinux is preventing /usr/sbin/setfiles from 'read' accesses on the chr_file /dev/urandom. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that setfiles should be allowed read access on the urandom chr_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 : 3 :Target Context system_u:object_r:urandom_device_t:s0 :Target Objects /dev/urandom [ chr_file ] :Source restorecon :Source Path /usr/sbin/setfiles :Port <Unknown> :Host (removed) :Source RPM Packages policycoreutils-2.1.12-5.fc18.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.11.1-36.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.6.1-1.fc18.x86_64 #1 SMP Mon Oct : 8 17:19:09 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2012-10-15 13:54:06 EDT :Last Seen 2012-10-15 13:54:06 EDT :Local ID 8b05fed5-ca3f-4e2d-86fc-416ef22ccf83 : :Raw Audit Messages :type=AVC msg=audit(1350323646.286:310): avc: denied { read } for pid=9917 comm="restorecon" path="/dev/urandom" dev="devtmpfs" ino=4507 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file : : :type=AVC msg=audit(1350323646.286:310): avc: denied { read } for pid=9917 comm="restorecon" path="/dev/random" dev="devtmpfs" ino=4506 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file : : :type=SYSCALL msg=audit(1350323646.286:310): arch=x86_64 syscall=execve success=yes exit=0 a0=20c78f0 a1=20c7990 a2=20c8280 a3=7fff0583e090 items=0 ppid=9916 pid=9917 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) : :Hash: restorecon,setfiles_t,urandom_device_t,chr_file,read : :audit2allow : :#============= setfiles_t ============== :allow setfiles_t random_device_t:chr_file read; :#!!!! This avc can be allowed using the boolean 'global_ssp' : :allow setfiles_t urandom_device_t:chr_file read; : :audit2allow -R : :#============= setfiles_t ============== :allow setfiles_t random_device_t:chr_file read; :#!!!! This avc can be allowed using the boolean 'global_ssp' : :allow setfiles_t urandom_device_t:chr_file read; :