Description of problem: Running restorecon as non-root generates AVC denial Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.13-26.fc10.noarch How reproducible: Everytime Steps to Reproduce: 1. Log in with non-root account 2. Run restorecon (no args needed) Actual results: AVC denial generated Expected results: Wouldn't expect an AVC denial Additional info: Source Context: unconfined_u:unconfined_r:setfiles_t:s0Target Context: unconfined_u:unconfined_r:unconfined_t:s0Target Objects: socket [ unix_stream_socket ]Source: restoreconSource Path: /sbin/setfilesPort: <Unknown>Host: vienna.oxsemi.comSource RPM Packages: policycoreutils-2.0.57-11.fc10Target RPM Packages: Policy RPM: selinux-policy-3.5.13-26.fc10Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: catchallHost Name: vienna.oxsemi.comPlatform: Linux vienna.oxsemi.com 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64Alert Count: 2First Seen: Fri 05 Dec 2008 14:21:41 GMTLast Seen: Fri 05 Dec 2008 14:25:47 GMTLocal ID: 4f867c4d-2757-4df4-8dd3-49aca0492a61Line Numbers: Raw Audit Messages :node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10435]" dev=sockfs ino=10435 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=SYSCALL msg=audit(1228487147.576:305): arch=c000003e syscall=59 success=yes exit=0 a0=7fffde7c9980 a1=7fffde7cac30 a2=7fffde7cac40 a3=7fffde7c9660 items=0 ppid=10415 pid=10416 auid=1015 uid=1015 gid=1000 euid=1015 suid=1015 fsuid=1015 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0 key=(null)
Are you running this on a konsole? if yes this is a leaked file descriptor in the kdelibs or kde tools and needs to be fixed in their apps.
It is a konsole. Reassigning to kdebase since that's where konsole lives.
*** This bug has been marked as a duplicate of bug 484370 ***