The catchall plugin adds instance specific information to the signature, e.g.:
The description contains:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for pipe:, restorecon -v pipe:
We need to decide if we want every catchall to be an independent alert or
collapse them based on signature. Putting the pipe identifier in the object path
will cause each event to be unique, do we want this? If so we should define a
better way to assure uniqueness asides from relying on object_path uniqueness.
Dan, we need need to brainstorm a little on this one. The fundamental issue is:
Should the catchall plugin always generate a unique alert?
If the answer is yes then we don't have a mechanism yet which guarantees this,
we may be getting unique alerts only as an unintended side effect
If they are always unique we might end up generating quite a few of these alerts
all basically identical.
Perhaps the best thing is for the catchall plugin to generate a signature which
represents the AVC that triggered it, but omit any instance specific information
which would lead to a vast collection of virtually identical alerts, instead we
would end up with just a handful of catchall's representative of a collection of
problems we failed to analyze. Individual plugin's can now override through
class inheritace the signature generation if that is necessary.
I am changin catchall to catchall.py and catchall_file, such that the reference
above would not happen on a non file_context issue. We will report a one bug if
restorecon could fix it and another if it would not be able to . So a fifo_file
would not generate the above avc message.
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.
[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]
closing, current releases strip instance information out of socket and pipe path
information, this was the primary culprit.