491462 – AVC denials when restarting mysqld, network (possibly more)

Bug 491462 - AVC denials when restarting mysqld, network (possibly more)

Summary: AVC denials when restarting mysqld, network (possibly more)

Keywords:
Status:	CLOSED DUPLICATE of bug 484370
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kdebase
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Than Ngo
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-21 12:03 UTC by Viktor Erdelyi
Modified:	2009-04-13 19:12 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-04-13 19:12:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
alert 1 (5.58 KB, text/plain) 2009-03-21 12:03 UTC, Viktor Erdelyi	no flags	Details
Alert 2 (5.59 KB, text/plain) 2009-03-21 12:04 UTC, Viktor Erdelyi	no flags	Details
Alert 3 (5.64 KB, text/plain) 2009-03-21 12:04 UTC, Viktor Erdelyi	no flags	Details
Alert 4 (2.83 KB, text/plain) 2009-03-21 12:04 UTC, Viktor Erdelyi	no flags	Details
Alert 5 (2.27 KB, text/plain) 2009-03-21 12:05 UTC, Viktor Erdelyi	no flags	Details
Mysqld alerts in one file (19.57 KB, text/plain) 2009-03-21 12:06 UTC, Viktor Erdelyi	no flags	Details
View All

Description Viktor Erdelyi 2009-03-21 12:03:46 UTC

Created attachment 336151 [details]
alert 1

Description of problem:
I'm getting loads of AVC denials when I restart a service from a root prompt.

How reproducible:
always

Steps to Reproduce:
Restart a service (/etc/init.d/whatever restart)
Examples attached: mysqld, network
Reproducible with sshd too.
  
Version:
selinux-policy-3.5.13-48.fc10.noarch

Comment 1 Viktor Erdelyi 2009-03-21 12:04:17 UTC

Created attachment 336153 [details]
Alert 2

Comment 2 Viktor Erdelyi 2009-03-21 12:04:35 UTC

Created attachment 336154 [details]
Alert 3

Comment 3 Viktor Erdelyi 2009-03-21 12:04:57 UTC

Created attachment 336155 [details]
Alert 4

Comment 4 Viktor Erdelyi 2009-03-21 12:05:16 UTC

Created attachment 336156 [details]
Alert 5

Comment 5 Viktor Erdelyi 2009-03-21 12:06:32 UTC

Created attachment 336157 [details]
Mysqld alerts in one file

Comment 6 Miroslav Grepl 2009-03-23 12:50:14 UTC

It looks like that Alert 1,2,3 (partly mysqld alert) issues are caused by a leaked file descriptor in the console used to restart the daemon.

Are you using a Konsole terminal?


Alert 5 issue is a bug in kdebase.  The kdm login program thinks it's home dir is / so it is trying to create /.kde in the root directory.


Myslqd_safe_t issues are fixed in selinux-policy-3.5.13-51.fc10

Comment 7 Viktor Erdelyi 2009-03-23 13:34:51 UTC

Yes, I'm using Konsole. But if I use system-config-services to restart them, I don't get the AVCs.

Comment 8 Miroslav Grepl 2009-03-24 12:18:03 UTC

Ok, then it is caused by a leaked file descriptor in konsole/kdebase, which has been reported to them several times.

You can create a policy .te file like the following

cat > kdeleaks.te << __eof
policy_module(kdeleaks, 1.0)

require {
	type unconfined_t;
	attribute domain;
	class unix_stream_socket { read write };
}

#============= dhcpc_t ==============
dontaudit domain unconfined_t:unix_stream_socket { read write };

__eof
# make -f /usr/share/selinux/devel/Makefile
# semodule -i kdeleaks.pp

Comment 9 Rex Dieter 2009-04-13 19:12:35 UTC


*** This bug has been marked as a duplicate of bug 484370 ***

Note You need to log in before you can comment on or make changes to this bug.