Bug 477508 - konsole leaks file descriptors: AVC denials when starting network
konsole leaks file descriptors: AVC denials when starting network
Status: CLOSED DUPLICATE of bug 484370
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
:
: 470170 477892 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-21 05:28 EST by Gilboa Davara
Modified: 2009-02-06 09:51 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-06 09:51:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gilboa Davara 2008-12-21 05:28:28 EST
Description of problem:
Start network (/etc/init.d/network start) manually. (NM disabled). multiple AVC denials in ip.
restorecon -Rv /etc /var /tmp didn't change anything.

Version-Release number of selected component (if applicable):
$ rpm -qa selinux\*
selinux-policy-targeted-3.5.13-30.fc10.noarch
selinux-policy-3.5.13-30.fc10.noarch

How reproducible:
Always.

$ cat /var/log/messages | grep ifconfig_t
Dec 21 11:16:41 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 7053d9d7-c99e-406a-a55c-4ee864892f71                                                             
Dec 21 11:16:41 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 7053d9d7-c99e-406a-a55c-4ee864892f71
...
Dec 21 12:18:21 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 02aeea0e-8f4a-4db7-b9a0-31a1a147f14a                                                             

$ sealert -l 02aeea0e-8f4a-4db7-b9a0-31a1a147f14a                                       

Summary:

SELinux is preventing ip (ifconfig_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also   
possible that the specific version or configuration of the application is    
causing it to require additional access.                                     

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)   
against this package.                                                          

Additional Information:

Source Context                unconfined_u:system_r:ifconfig_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023                                               
Target Objects                socket [ unix_stream_socket ]                     
Source                        ip                                                
Source Path                   /sbin/ip                                          
Port                          <Unknown>                                         
Host                          gilboa-work-lap                                   
Source RPM Packages           iproute-2.6.27-1.fc10                             
Target RPM Packages                                                             
Policy RPM                    selinux-policy-3.5.13-30.fc10                     
Selinux Enabled               True                                              
Policy Type                   targeted                                          
MLS Enabled                   True                                              
Enforcing Mode                Enforcing                                         
Plugin Name                   catchall                                          
Host Name                     gilboa-work-lap                                   
Platform                      Linux gilboa-work-lap 2.6.27.7-134.fc10.x86_64 #1 
                              SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64     
Alert Count                   105                                               
First Seen                    Sun Dec 21 12:17:35 2008                          
Last Seen                     Sun Dec 21 12:18:17 2008                          
Local ID                      02aeea0e-8f4a-4db7-b9a0-31a1a147f14a              
Line Numbers                                                                    

Raw Audit Messages            

node=gilboa-work-lap type=AVC msg=audit(1229854697.774:4591): avc:  denied  { read write } for  pid=31815 comm="ip" path="socket:[16536]" dev=sockfs ino=16536 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket                                                                                            

node=gilboa-work-lap type=AVC msg=audit(1229854697.774:4591): avc:  denied  { read write } for  pid=31815 comm="ip" path="socket:[16614]" dev=sockfs ino=16614 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=gilboa-work-lap type=AVC msg=audit(1229854697.774:4591): avc:  denied  { read write } for  pid=31815 comm="ip" path="socket:[16776]" dev=sockfs ino=16776 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=gilboa-work-lap type=AVC msg=audit(1229854697.774:4591): avc:  denied  { read } for  pid=31815 comm="ip" path="/tmp/kde-gilboa/konsoleX18287.tmp" dev=dm-0 ino=139376 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=gilboa-work-lap type=AVC msg=audit(1229854697.774:4591): avc:  denied  { read } for  pid=31815 comm="ip" path="/tmp/kde-gilboa/konsoleh18287.tmp" dev=dm-0 ino=139377 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=gilboa-work-lap type=AVC msg=audit(1229854697.774:4591): avc:  denied  { read } for  pid=31815 comm="ip" path="/tmp/kde-gilboa/konsoleL18287.tmp" dev=dm-0 ino=139395 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=gilboa-work-lap type=AVC msg=audit(1229854697.774:4591): avc:  denied  { read write } for  pid=31815 comm="ip" path="socket:[108109]" dev=sockfs ino=108109 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=gilboa-work-lap type=SYSCALL msg=audit(1229854697.774:4591): arch=c000003e syscall=59 success=yes exit=0 a0=9e0e30 a1=98dbf0 a2=9e16f0 a3=8 items=0 ppid=31804 pid=31815 auid=800 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-12-22 10:58:15 EST
Leaked file descriptors in konsole.  All file descriptors should be closed on exec.
Comment 2 Gilboa Davara 2008-12-23 07:43:41 EST
Not sure it's konsole.
I managed to reproduce this bug by using xterm.

$ /etc/init.d/network restart
...

$ tail /var/log/messages | grep ip
Dec 23 14:38:53 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l fee14800-3fee-4381-9541-68be04e7c68e
...
Dec 23 14:38:55 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l fee14800-3fee-4381-9541-68be04e7c68e

$ sealert -l fee14800-3fee-4381-9541-68be04e7c68e

Summary:

SELinux is preventing ip (ifconfig_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ifconfig_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                socket [ unix_stream_socket ]
Source                        ip
Source Path                   /sbin/ip
Port                          <Unknown>
Host                          gilboa-work-lap
Source RPM Packages           iproute-2.6.27-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-30.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     gilboa-work-lap
Platform                      Linux gilboa-work-lap 2.6.27.7-134.fc10.x86_64 #1
                              SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64
Alert Count                   150
First Seen                    Tue Dec 23 14:38:01 2008
Last Seen                     Tue Dec 23 14:38:50 2008
Local ID                      fee14800-3fee-4381-9541-68be04e7c68e
Line Numbers                  

Raw Audit Messages            

node=gilboa-work-lap type=AVC msg=audit(1230035930.927:1601): avc:  denied  { read write } for  pid=11921 comm="ip" path="socket:[19177]" dev=sockfs ino=19177 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=gilboa-work-lap type=AVC msg=audit(1230035930.927:1601): avc:  denied  { read write } for  pid=11921 comm="ip" path="socket:[77432]" dev=sockfs ino=77432 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=gilboa-work-lap type=SYSCALL msg=audit(1230035930.927:1601): arch=c000003e syscall=59 success=yes exit=0 a0=1586c10 a1=1533af0 a2=15874d0 a3=8 items=0 ppid=11910 pid=11921 auid=800 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)
Comment 3 Gilboa Davara 2008-12-23 07:47:07 EST
P.S. I'm getting the same error on brctl, dhclient and arp - they all complained about "SELinux is preventing XXX (xxx_t) "read write" unconfined_t. (My network configuration uses private/public Ethernet bridge - one of them w/ DHCP)

- Gilboa
Comment 4 Rex Dieter 2008-12-23 10:00:15 EST
CC'ing dwalsh again, see comment #2 about this being reproducible with xterm too.
Comment 5 Daniel Walsh 2008-12-23 11:15:59 EST
Yes they are being leaked at a higher level in the kdebase. 

At the konsole or xterm do a 

ls -l /proc/self/fd

There should only be 0,1,2 fds open. 

If you think about it why would scripts/exes like dhclient or ifconfig be trying to access unix_stream_sockets owned by logged in users.  The only reason would  be if there was a leaked file descriptor.
Comment 6 Gilboa Davara 2008-12-23 11:58:53 EST
xterm:
$ ls -l /proc/self/fd
total 0
lrwx------ 1 gilboa users 64 2008-12-23 18:54 0 -> /dev/pts/2
lrwx------ 1 gilboa users 64 2008-12-23 18:54 1 -> /dev/pts/2
lrwx------ 1 gilboa users 64 2008-12-23 18:54 13 -> socket:[77432]
lrwx------ 1 gilboa users 64 2008-12-23 18:54 2 -> /dev/pts/2
lr-x------ 1 gilboa users 64 2008-12-23 18:54 3 -> /proc/16742/fd
lrwx------ 1 gilboa users 64 2008-12-23 18:54 9 -> socket:[19177]

konsole:
$ ls -l /proc/self/fd
total 0
lrwx------ 1 gilboa users 64 2008-12-23 18:54 0 -> /dev/pts/1
lrwx------ 1 gilboa users 64 2008-12-23 18:54 1 -> /dev/pts/1
lrwx------ 1 gilboa users 64 2008-12-23 18:54 13 -> socket:[19347]
lrwx------ 1 gilboa users 64 2008-12-23 18:54 15 -> /tmp/kde-gilboa/konsoleX16664.tmp
lrwx------ 1 gilboa users 64 2008-12-23 18:54 16 -> /tmp/kde-gilboa/konsoleh16664.tmp
lrwx------ 1 gilboa users 64 2008-12-23 18:54 17 -> /tmp/kde-gilboa/konsoleL16664.tmp
lrwx------ 1 gilboa users 64 2008-12-23 18:54 2 -> /dev/pts/1
lr-x------ 1 gilboa users 64 2008-12-23 18:54 3 -> /proc/16744/fd
lrwx------ 1 gilboa users 64 2008-12-23 18:54 4 -> socket:[19100]
lrwx------ 1 gilboa users 64 2008-12-23 18:54 9 -> socket:[19177]

P.S. Both terminals are freshly open (using Alt-F2) and started from a fresh GDM to KDE login.

- Gilboa
Comment 7 Daniel Walsh 2008-12-24 06:28:40 EST
Open descriptors 0,1,2 using the terminal are legitimate.  3 reading /proc/*/fd is also ok since this is what the ls command is doing.  But the others are leaks.  When you start a confined application, SELinux looks at the open file descriptors passed to the application and closes the ones the app is not allowed to have access to.  And prints the avc messages you see on your system.  kdebase should close all open descriptors on exec, using the fcntl(fd, F_SETFD, FD_CLOEXEC) function.
Comment 8 Gilboa Davara 2008-12-25 11:55:56 EST
OK. I understand.
I'll try and investigate what are the sockets passed by kdebase (krunner?) to both xterm and konsole and to whom they originaly belonged (kdeinit?), as I cannot reproduce this on another machine.

- Gilboa
Comment 9 Gilboa Davara 2008-12-28 12:29:36 EST
It indeed looks like a KDE only issue.
The offending sockets are shared by all KDE processes.
No idea who's the parent, though.

Never the less, what comes next? Report the bug against kdebase?

- Gilboa
Comment 10 Daniel Walsh 2009-01-04 12:39:04 EST
This bug is owned by kdebase.
Comment 11 Steven M. Parrish 2009-01-09 15:09:37 EST
*** Bug 477892 has been marked as a duplicate of this bug. ***
Comment 12 Steven M. Parrish 2009-01-09 16:09:45 EST
*** Bug 470170 has been marked as a duplicate of this bug. ***
Comment 13 Steven M. Parrish 2009-02-04 12:36:16 EST
Thank you for the bug report.  This issue needs to be addressed by the upstream developers.  Please submit a report at http://bugs.kde.org. You are requested to add the bugzilla link here for tracking purposes. Please make sure the bug isn't already in the upstream bug tracker before filing it.
Comment 14 Steven M. Parrish 2009-02-06 09:51:46 EST

*** This bug has been marked as a duplicate of bug 484370 ***

Note You need to log in before you can comment on or make changes to this bug.