Bug 466087 - SELinux is preventing the $command from using potentially mislabeled files (/tmp/kde-${USER}zHTeRF/konsoleat5970.tmp)
SELinux is preventing the $command from using potentially mislabeled files (/...
Status: CLOSED DUPLICATE of bug 484370
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
9
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-08 04:51 EDT by Giacomo Montagner
Modified: 2009-02-06 09:49 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-06 09:49:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Giacomo Montagner 2008-10-08 04:51:55 EDT
Description of problem:
very often, when running some commands as root (after su -) from a konsole terminal, I get the following errors: 

SELinux is preventing the $command from using potentially mislabeled files (/tmp/kde-${USER}zHTeRF/konsoleat5970.tmp)

where ${USER} is my username and $command is the command I just run from konsole (I have various of them: iptables, restorecon, httpd, consoletype, dhclient-script, NetworkManager, ifconfig, openvpn, rpc*, and others). 
In many cases this happens even if I'm just running a 
service $somewhat start/restart

It seems like a "feature": just preventing konsole from dumping some root-command output to a user-owned tmp file, but sometimes it gets really annoying (every time it happens sealert pops-up a notification) - and it cannot be avoided selecting "do-not-display" in sealert because the name of the tmp file changes everytime. 

Is there a way to avoid all these error messages? A better way to execute root commands (i.e. an alternetive to "su -" from a user session)?

I first tried putting 
restorecon -Rv /tmp
in my rc.local script but it seems the same. 

Can it be related to the fact I'm using gnome as desktop manager, and then konsole as console app? Some friends with the same setup experienced the same problem, while another using only KDE seems not affected. All of us run Fedora 9.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-95.fc9.noarch
kdebase-4.1.1-1.fc9.i386
Gnome Version: 2.22.3

How reproducible:
Very often, although not every time a command is run. 

Steps to Reproduce:
1. log in as a normal user with a gnome session
2. open konsole
3. become root with "su -"
4. start doing root tasks (start/stop services, check firewall status with "iptables -nvL", ecc.)
  
Actual results:
Sometimes SELinux prevents konsole from using its tmp file

Expected results:
- At least, the possibility to turn off notifications (if the behaviour is correct). 

Additional info:
Desktop: gnome
Window manager: compiz
Comment 1 Daniel Walsh 2008-10-08 17:42:21 EDT
The problem here is a leaked file descriptor in konsole.

konsole is opening

(/tmp/kde-${USER}zHTeRF/konsoleat5970.tmp)

And not closing on exec the file descriptor,  this means that all confined domains started from console will get handed this open file descriptor and SELinux will close them, while generating the error message.

They can be ignored for now but konsole should execute

fcntl(fd, F_SETFD, FD_CLOEXEC)

On the file desctriptor
Comment 2 Steven M. Parrish 2009-02-06 09:49:59 EST

*** This bug has been marked as a duplicate of bug 484370 ***

Note You need to log in before you can comment on or make changes to this bug.