Bug 474819 - Running restorecon as non-root generates AVC denial
Running restorecon as non-root generates AVC denial
Status: CLOSED DUPLICATE of bug 484370
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-05 09:29 EST by Paul Black
Modified: 2009-02-06 09:51 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-06 09:51:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Black 2008-12-05 09:29:00 EST
Description of problem:
Running restorecon as non-root generates AVC denial


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-26.fc10.noarch

How reproducible:
Everytime


Steps to Reproduce:
1. Log in with non-root account
2. Run restorecon (no args needed)

  
Actual results:
AVC denial generated


Expected results:
Wouldn't expect an AVC denial


Additional info:
Source Context:  unconfined_u:unconfined_r:setfiles_t:s0Target Context:  unconfined_u:unconfined_r:unconfined_t:s0Target Objects:  socket [ unix_stream_socket ]Source:  restoreconSource Path:  /sbin/setfilesPort:  <Unknown>Host:  vienna.oxsemi.comSource RPM Packages:  policycoreutils-2.0.57-11.fc10Target RPM Packages:  Policy RPM:  selinux-policy-3.5.13-26.fc10Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchallHost Name:  vienna.oxsemi.comPlatform:  Linux vienna.oxsemi.com 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64Alert Count:  2First Seen:  Fri 05 Dec 2008 14:21:41 GMTLast Seen:  Fri 05 Dec 2008 14:25:47 GMTLocal ID:  4f867c4d-2757-4df4-8dd3-49aca0492a61Line Numbers:  Raw Audit Messages :node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10435]" dev=sockfs ino=10435 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=AVC msg=audit(1228487147.576:305): avc: denied { read write } for pid=10416 comm="restorecon" path="socket:[10359]" dev=sockfs ino=10359 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket node=vienna.oxsemi.com type=SYSCALL msg=audit(1228487147.576:305): arch=c000003e syscall=59 success=yes exit=0 a0=7fffde7c9980 a1=7fffde7cac30 a2=7fffde7cac40 a3=7fffde7c9660 items=0 ppid=10415 pid=10416 auid=1015 uid=1015 gid=1000 euid=1015 suid=1015 fsuid=1015 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-12-08 08:54:44 EST
Are you running this on a konsole?  if yes this is a leaked file descriptor in the kdelibs or kde tools and needs to be fixed in their apps.
Comment 2 Paul Black 2008-12-08 09:06:29 EST
It is a konsole. Reassigning to kdebase since that's where konsole lives.
Comment 3 Steven M. Parrish 2009-02-06 09:51:11 EST

*** This bug has been marked as a duplicate of bug 484370 ***

Note You need to log in before you can comment on or make changes to this bug.