Description of problem: very often, when running some commands as root (after su -) from a konsole terminal, I get the following errors: SELinux is preventing the $command from using potentially mislabeled files (/tmp/kde-${USER}zHTeRF/konsoleat5970.tmp) where ${USER} is my username and $command is the command I just run from konsole (I have various of them: iptables, restorecon, httpd, consoletype, dhclient-script, NetworkManager, ifconfig, openvpn, rpc*, and others). In many cases this happens even if I'm just running a service $somewhat start/restart It seems like a "feature": just preventing konsole from dumping some root-command output to a user-owned tmp file, but sometimes it gets really annoying (every time it happens sealert pops-up a notification) - and it cannot be avoided selecting "do-not-display" in sealert because the name of the tmp file changes everytime. Is there a way to avoid all these error messages? A better way to execute root commands (i.e. an alternetive to "su -" from a user session)? I first tried putting restorecon -Rv /tmp in my rc.local script but it seems the same. Can it be related to the fact I'm using gnome as desktop manager, and then konsole as console app? Some friends with the same setup experienced the same problem, while another using only KDE seems not affected. All of us run Fedora 9. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-95.fc9.noarch kdebase-4.1.1-1.fc9.i386 Gnome Version: 2.22.3 How reproducible: Very often, although not every time a command is run. Steps to Reproduce: 1. log in as a normal user with a gnome session 2. open konsole 3. become root with "su -" 4. start doing root tasks (start/stop services, check firewall status with "iptables -nvL", ecc.) Actual results: Sometimes SELinux prevents konsole from using its tmp file Expected results: - At least, the possibility to turn off notifications (if the behaviour is correct). Additional info: Desktop: gnome Window manager: compiz
The problem here is a leaked file descriptor in konsole. konsole is opening (/tmp/kde-${USER}zHTeRF/konsoleat5970.tmp) And not closing on exec the file descriptor, this means that all confined domains started from console will get handed this open file descriptor and SELinux will close them, while generating the error message. They can be ignored for now but konsole should execute fcntl(fd, F_SETFD, FD_CLOEXEC) On the file desctriptor
*** This bug has been marked as a duplicate of bug 484370 ***