Description of problem: setroubleshoot alerts: SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) access to net (proc_net_t) This just started happening. I have no clue what caused it to start. The only thing I did today was install about 24 packages that it was requesting me to install. Version-Release number of selected component (if applicable): I'm not even sure what component is the problem, selinux or irqbalance: selinux-policy-2.4.6-7.fc6 irqbalance-0.55-2.fc6 How reproducible: every login every user Steps to Reproduce: 1. login 2. 3. Actual results: Expected results: no avc violation Additional info:
I can confirm this one, it happens also to me, since last selinux update. This an extract from /var/log/message, with grep irqbalance and audit. Please note the embedded comments below. Start of the PC after upgrading selinux stuff: Dec 15 09:29:33 rain2 kernel: audit(1166171360.001:4): avc: denied { search } for pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:29:34 rain2 kernel: audit(1166171369.555:5): avc: denied { search } for pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:29:39 rain2 kernel: audit(1166171379.001:6): avc: denied { search } for pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir ... and so on, I have more, but I think this is enough. Try to set /usr/sbin/irqbalance context to unconfined_t, as result of some research. Stopped irqbalance and then chcon -t ... Dec 15 09:43:21 rain2 kernel: audit(1166172201.454:19): avc: denied { relabelto } for pid=3128 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unconfined_t:s0 tclass=file Dec 15 09:43:37 rain2 kernel: audit(1166172217.876:20): avc: denied { relabelto } for pid=3130 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unconfined_t:s0 tclass=file Reboot, just to be sure... Dec 15 09:53:06 rain2 kernel: audit(1166172775.532:3): avc: denied { search } for pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:4): avc: denied { read } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:5): avc: denied { getattr } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:6): avc: denied { create } for pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:7): avc: denied { ioctl } for pid=2001 comm="irqbalance" name="[8830]" dev=sockfs ino=8830 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:8): avc: denied { net_admin } for pid=2001 comm="irqbalance" capability=12 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:9): avc: denied { search } for pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:10): avc: denied { read } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:11): avc: denied { getattr } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:35 rain2 kernel: audit(1166172815.001:12): avc: denied { read } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:35 rain2 kernel: audit(1166172815.002:13): avc: denied { getattr } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Setting selinux to permissive mode and reboot. Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:14): avc: denied { create } for pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:15): avc: denied { ioctl } for pid=2001 comm="irqbalance" name="[12025]" dev=sockfs ino=12025 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:16): avc: denied { net_admin } for pid=2001 comm="irqbalance" capability=12 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:17): avc: denied { create } for pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:18): avc: denied { ioctl } for pid=2001 comm="irqbalance" name="[12460]" dev=sockfs ino=12460 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket As you can see, after trying the chcon the denial is not anymore only { search }, but also something more. So, apart from the original denial problem, do the denials after chcon (which seems to have failed) show something is broken? Thanks.
Fixed in selinux-policy-2.4.6-13
Fixed in current release