The catchall plugin adds instance specific information to the signature, e.g.: <object_path>pipe:[13491]</object_path> The description contains: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for pipe:[13491], restorecon -v pipe:[13491] We need to decide if we want every catchall to be an independent alert or collapse them based on signature. Putting the pipe identifier in the object path will cause each event to be unique, do we want this? If so we should define a better way to assure uniqueness asides from relying on object_path uniqueness.
Dan, we need need to brainstorm a little on this one. The fundamental issue is: Should the catchall plugin always generate a unique alert? If the answer is yes then we don't have a mechanism yet which guarantees this, we may be getting unique alerts only as an unintended side effect If they are always unique we might end up generating quite a few of these alerts all basically identical. Perhaps the best thing is for the catchall plugin to generate a signature which represents the AVC that triggered it, but omit any instance specific information which would lead to a vast collection of virtually identical alerts, instead we would end up with just a handful of catchall's representative of a collection of problems we failed to analyze. Individual plugin's can now override through class inheritace the signature generation if that is necessary.
I am changin catchall to catchall.py and catchall_file, such that the reference above would not happen on a non file_context issue. We will report a one bug if restorecon could fix it and another if it would not be able to . So a fifo_file would not generate the above avc message. setroubleshoot-1.1
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer test releases. We're cleaning up the bug database and making sure important bug reports filed against these test releases don't get lost. It would be helpful if you could test this issue with a released version of Fedora or with the latest development / test release. Thanks for your help and for your patience. [This is a bulk message for all open FC5/FC6 test release bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]
closing, current releases strip instance information out of socket and pipe path information, this was the primary culprit.