Leaked file descriptors in konsole.  All file descriptors should be closed on exec.

Not sure it's konsole.
I managed to reproduce this bug by using xterm.

$ /etc/init.d/network restart
...

$ tail /var/log/messages | grep ip
Dec 23 14:38:53 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l fee14800-3fee-4381-9541-68be04e7c68e
...
Dec 23 14:38:55 gilboa-work-lap setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l fee14800-3fee-4381-9541-68be04e7c68e

$ sealert -l fee14800-3fee-4381-9541-68be04e7c68e

Summary:

SELinux is preventing ip (ifconfig_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ifconfig_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                socket [ unix_stream_socket ]
Source                        ip
Source Path                   /sbin/ip
Port                          <Unknown>
Host                          gilboa-work-lap
Source RPM Packages           iproute-2.6.27-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-30.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     gilboa-work-lap
Platform                      Linux gilboa-work-lap 2.6.27.7-134.fc10.x86_64 #1
                              SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64
Alert Count                   150
First Seen                    Tue Dec 23 14:38:01 2008
Last Seen                     Tue Dec 23 14:38:50 2008
Local ID                      fee14800-3fee-4381-9541-68be04e7c68e
Line Numbers                  

Raw Audit Messages            

node=gilboa-work-lap type=AVC msg=audit(1230035930.927:1601): avc:  denied  { read write } for  pid=11921 comm="ip" path="socket:[19177]" dev=sockfs ino=19177 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=gilboa-work-lap type=AVC msg=audit(1230035930.927:1601): avc:  denied  { read write } for  pid=11921 comm="ip" path="socket:[77432]" dev=sockfs ino=77432 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=gilboa-work-lap type=SYSCALL msg=audit(1230035930.927:1601): arch=c000003e syscall=59 success=yes exit=0 a0=1586c10 a1=1533af0 a2=15874d0 a3=8 items=0 ppid=11910 pid=11921 auid=800 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)

P.S. I'm getting the same error on brctl, dhclient and arp - they all complained about "SELinux is preventing XXX (xxx_t) "read write" unconfined_t. (My network configuration uses private/public Ethernet bridge - one of them w/ DHCP)

- Gilboa

CC'ing dwalsh again, see comment #2 about this being reproducible with xterm too.

Yes they are being leaked at a higher level in the kdebase. 

At the konsole or xterm do a 

ls -l /proc/self/fd

There should only be 0,1,2 fds open. 

If you think about it why would scripts/exes like dhclient or ifconfig be trying to access unix_stream_sockets owned by logged in users.  The only reason would  be if there was a leaked file descriptor.

xterm:
$ ls -l /proc/self/fd
total 0
lrwx------ 1 gilboa users 64 2008-12-23 18:54 0 -> /dev/pts/2
lrwx------ 1 gilboa users 64 2008-12-23 18:54 1 -> /dev/pts/2
lrwx------ 1 gilboa users 64 2008-12-23 18:54 13 -> socket:[77432]
lrwx------ 1 gilboa users 64 2008-12-23 18:54 2 -> /dev/pts/2
lr-x------ 1 gilboa users 64 2008-12-23 18:54 3 -> /proc/16742/fd
lrwx------ 1 gilboa users 64 2008-12-23 18:54 9 -> socket:[19177]

konsole:
$ ls -l /proc/self/fd
total 0
lrwx------ 1 gilboa users 64 2008-12-23 18:54 0 -> /dev/pts/1
lrwx------ 1 gilboa users 64 2008-12-23 18:54 1 -> /dev/pts/1
lrwx------ 1 gilboa users 64 2008-12-23 18:54 13 -> socket:[19347]
lrwx------ 1 gilboa users 64 2008-12-23 18:54 15 -> /tmp/kde-gilboa/konsoleX16664.tmp
lrwx------ 1 gilboa users 64 2008-12-23 18:54 16 -> /tmp/kde-gilboa/konsoleh16664.tmp
lrwx------ 1 gilboa users 64 2008-12-23 18:54 17 -> /tmp/kde-gilboa/konsoleL16664.tmp
lrwx------ 1 gilboa users 64 2008-12-23 18:54 2 -> /dev/pts/1
lr-x------ 1 gilboa users 64 2008-12-23 18:54 3 -> /proc/16744/fd
lrwx------ 1 gilboa users 64 2008-12-23 18:54 4 -> socket:[19100]
lrwx------ 1 gilboa users 64 2008-12-23 18:54 9 -> socket:[19177]

P.S. Both terminals are freshly open (using Alt-F2) and started from a fresh GDM to KDE login.

- Gilboa

Open descriptors 0,1,2 using the terminal are legitimate.  3 reading /proc/*/fd is also ok since this is what the ls command is doing.  But the others are leaks.  When you start a confined application, SELinux looks at the open file descriptors passed to the application and closes the ones the app is not allowed to have access to.  And prints the avc messages you see on your system.  kdebase should close all open descriptors on exec, using the fcntl(fd, F_SETFD, FD_CLOEXEC) function.

OK. I understand.
I'll try and investigate what are the sockets passed by kdebase (krunner?) to both xterm and konsole and to whom they originaly belonged (kdeinit?), as I cannot reproduce this on another machine.

- Gilboa

It indeed looks like a KDE only issue.
The offending sockets are shared by all KDE processes.
No idea who's the parent, though.

Never the less, what comes next? Report the bug against kdebase?

- Gilboa

This bug is owned by kdebase.

*** Bug 477892 has been marked as a duplicate of this bug. ***

*** Bug 470170 has been marked as a duplicate of this bug. ***

Thank you for the bug report.  This issue needs to be addressed by the upstream developers.  Please submit a report at http://bugs.kde.org. You are requested to add the bugzilla link here for tracking purposes. Please make sure the bug isn't already in the upstream bug tracker before filing it.

*** This bug has been marked as a duplicate of bug 484370 ***