Bug 1003157 - SELinux is preventing /usr/sbin/ethtool from 'write' accesses on the file /run/lock/lmt-req.lock.
Summary: SELinux is preventing /usr/sbin/ethtool from 'write' accesses on the file /ru...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:eec4cd742d49a6b8a868892dd5a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-31 09:13 UTC by Zoltan Hoppar
Modified: 2013-09-12 01:53 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-74.2.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-12 01:53:15 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Zoltan Hoppar 2013-08-31 09:13:54 UTC
Description of problem:
SELinux is preventing /usr/sbin/ethtool from 'write' accesses on the file /run/lock/lmt-req.lock.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If ki szeretné hagyni ethtool write hozzáférési próbálkozását itt:  lmt-req.lock file - mivel úgy gondolja, hogy nincs szüksége erre a hozzáférésre.
Then jeletse ezt hibaként. 
Előállíthatja a helyi szabályzat modult hogy ne auditálja ezt a hozzáférést.
Do
# grep /usr/sbin/ethtool /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If ha úgy érzi, hogy ethtool számára engedélyezni kell write hozzáférést itt: lmt-req.lock file alapértelmezésben.
Then ezt jelentenie kell, mint hibát.
Hogy engedélyezze ezt a hozzáférést előállíthat egy helyi szabálymodult.
Do
engedélyezheti ezt a hozzáférést most ezzel:
# grep ethtool /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ifconfig_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lvm_lock_t:s0
Target Objects                /run/lock/lmt-req.lock [ file ]
Source                        ethtool
Source Path                   /usr/sbin/ethtool
Port                          <Ismeretlen>
Host                          (removed)
Source RPM Packages           wireless-tools-29-9.1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed
                              Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count                   22
First Seen                    2013-08-30 14:21:02 CEST
Last Seen                     2013-08-31 11:00:42 CEST
Local ID                      8ca11510-c940-4793-9d6f-e6dffa4a54f8

Raw Audit Messages
type=AVC msg=audit(1377939642.978:459): avc:  denied  { write } for  pid=3610 comm="iwconfig" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=11036 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file


type=AVC msg=audit(1377939642.978:459): avc:  denied  { write } for  pid=3610 comm="iwconfig" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=12641 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file


type=SYSCALL msg=audit(1377939642.978:459): arch=x86_64 syscall=execve success=yes exit=0 a0=146bec0 a1=146abf0 a2=13f9e00 a3=8 items=0 ppid=3608 pid=3610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=iwconfig exe=/usr/sbin/iwconfig subj=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)

Hash: ethtool,ifconfig_t,lvm_lock_t,file,write

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-09-03 10:08:07 UTC
Do you know what you were doing when this happened? This is a leak file descriptor.

Comment 2 Zoltan Hoppar 2013-09-03 10:59:13 UTC
(In reply to Miroslav Grepl from comment #1)
> Do you know what you were doing when this happened? This is a leak file
> descriptor.

I have received the latest kernel 3.10.10, and several times it happened in boot time, and sometimes is just popped on active desktop with abrt. Lately as I have received updates, not anymore.

Comment 3 Zoltan Hoppar 2013-09-03 10:59:58 UTC
Sorry, not abrt, SElinux.

Comment 4 Daniel Walsh 2013-09-04 13:45:06 UTC
517fc704b173370572cf418d805491d65117ce05 adds dontaudit rules for these leaks.

Most likely a shell script sets up the lock file with something like

command > /run/lock/lmt-req.lock << _EOF
LOTS of commnds
_EOF

Comment 6 Fedora Update System 2013-09-09 07:53:53 UTC
selinux-policy-3.12.1-74.2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.2.fc19

Comment 7 Fedora Update System 2013-09-09 23:57:02 UTC
Package selinux-policy-3.12.1-74.2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16231/selinux-policy-3.12.1-74.2.fc19
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-09-12 01:53:15 UTC
selinux-policy-3.12.1-74.2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.