Exact version numbers are net-tools-1.60-84.fc8, selinux-policy-3.0.8-44.fc8. The socket is described as "socket [ unix_stream_socket ]". Platform information: "2.6.23.1-42.fc8 #1 SMP". The raw audit message is avc: denied { read write } for comm=ifconfig dev=sockfs egid=0 euid=0 exe=/sbin/ifconfig exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=socket:[153815] pid=10618 scontext=system_u:system_r:ifconfig_t:s0 sgid=0 subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=unix_stream_socket tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 Sorry, just found it in the logs - no clue how to reproduce. Hope you can though turn it to account.
Okay, I can always reproduce the error by just connecting to my wireless network via the "Wireless Assistant 0.5.7". It goes along with denials for dhclient, dhclient-script, consoletype, gawk and restorecon.
This looks like a leaked file descriptor in wireless assistant. Please make sure all open file descriptors are closed on exec. fcntl(fd, F_SETFD, FD_CLOEXEC)
Dan, I'm pretty sure wlassistant is doing this correctly. The only file descriptors being opened are in src/watools.cpp, and this is what the code looks like: int flags; flags = fcntl(iw_socket, F_GETFD); if (flags == -1) return 0; flags |= FD_CLOEXEC; if (fcntl(iw_socket, F_SETFD, flags) == -1) return 0; if (iw_socket<0) return 0; Unless that first fcntl call also needs an FD_CLOEXEC, I'm not sure where we'd be leaking.
What version of wlassistant are you running? Please yum upgrade your system to the latest selinux policy and wlassistant.
yum didn't upgrade wlassistant or selinux policies. Version number is still wlassistant 0.5.7.
What is the rpm version? rpm -q selinux-policy wlassistant I know there are newer version of selinux-policy then selinux-policy-3.0.8-44.fc8.
Those are selinux-policy-3.0.8-72.fc8 and wlassistant-0.5.7-4.fc8.
Could you use lsof to see what is listening on this daemon socket:[153815] To see if wlassistant is the problem. BTW this is not a problem from a security point of view. SELinux is closing the descriptor, when it execs other apps. Just an annoyance.
Okay. I saw that the audit message above isn't the only one generated on connect. I'll post from the audit.log: type=AVC msg=audit(1199494649.269:42): avc: denied { write } for pid=4336 comm="dhclient" path="socket:[36634]" dev=sockfs ino=36634 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494649.353:43): avc: denied { ioctl } for pid=4337 comm="dhclient-script" path="socket:[36631]" dev=sockfs ino=36631 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494649.362:44): avc: denied { read write } for pid=4339 comm="consoletype" path="socket:[36631]" dev=sockfs ino=36631 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494649.364:45): avc: denied { getattr } for pid=4339 comm="consoletype" path="socket:[36631]" dev=sockfs ino=36631 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494649.365:46): avc: denied { ioctl } for pid=4339 comm="consoletype" path="socket:[36631]" dev=sockfs ino=36631 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494649.398:47): avc: denied { getattr } for pid=4351 comm="awk" path="socket:[36634]" dev=sockfs ino=36634 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494649.418:48): avc: denied { read write } for pid=4371 comm="restorecon" path="socket:[36631]" dev=sockfs ino=36631 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494649.582:49): avc: denied { read write } for pid=4374 comm="ifconfig" path="socket:[36631]" dev=sockfs ino=36631 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1199494653.204:50): avc: denied { read } for pid=4382 comm="dhclient" path="socket:[36772]" dev=sockfs ino=36772 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket The sockets opened by wlassistant BEFORE connection are: wlassista 3497 root 3u unix 0xdd12d1c0 23034 socket wlassista 3497 root 8u unix 0xd8671000 23126 socket And after the connection: wlassista 3497 root 3u unix 0xdd12d1c0 23034 socket wlassista 3497 root 8u unix 0xd8671000 23126 socket wlassista 3497 root 11u unix 0xdcceac40 36705 socket wlassista 3497 root 12u unix 0xdccea1c0 36706 socket wlassista 3497 root 14u unix 0xdee8ca80 36708 socket wlassista 3497 root 18u unix 0xdd3d1700 36638 socket wlassista 3497 root 19u unix 0xdd3d1c40 36639 socket Sorry (by the way) for mentioning those other audit messages so late... :( Must have been late when I reported the bug...
Ah, just in case you want to know. Looked for the sockets reported in those audit messages. (36631, 36634 and 36772, as far as I see.) I can only find dhclient 4466 root 10u unix 0xf73191c0 36772 socket
Well it is definitely a leaked file descriptor. Looks like dhclient might be the culpret.
Not seeing this anymore in F-9 or rawhide.