Bug 521396 - setroubleshoot: SELinux is preventing ldconfig "read" access to to a leaked file descriptor on console
Summary: setroubleshoot: SELinux is preventing ldconfig "read" access to to a lea...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:0ae06fbdd8b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-05 14:37 UTC by Nicolas Mailhot
Modified: 2009-11-16 19:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-16 19:39:21 UTC


Attachments (Terms of Use)

Description Nicolas Mailhot 2009-09-05 14:37:23 UTC
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing ldconfig "read" access to to a leaked file descriptor on
console

Description détaillée:

[ldconfig has a permissive type (ldconfig_t). This access was not denied.]

SELinux denied access requested by the ldconfig command. It looks like this is
either a leaked descriptor or ldconfig output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the console. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Informations complémentaires:

Contexte source               unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:console_device_t:s0
Objets du contexte            console [ chr_file ]
source                        ldconfig
Chemin de la source           /sbin/ldconfig
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         glibc-2.10.90-20
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.30-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 leaks
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.138.rc5.git3.fc12.x86_64
                              #1 SMP Thu Aug 6 16:59:15 EDT 2009 x86_64 x86_64
Compteur d'alertes            26
Première alerte              sam. 05 sept. 2009 15:39:31 CEST
Dernière alerte              sam. 05 sept. 2009 15:56:29 CEST
ID local                      63f3eb8f-fc68-4b6a-8ed9-403cb29b4a8f
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252158989.157:256): avc:  denied  { read } for  pid=17569 comm="ldconfig" name="console" dev=tmpfs ino=1052 scontext=unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1252158989.157:256): arch=c000003e syscall=59 success=yes exit=0 a0=12310f70 a1=1241b570 a2=7fffc002abf8 a3=20 items=0 ppid=7339 pid=17569 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ldconfig" exe="/sbin/ldconfig" subj=unconfined_u:system_r:ldconfig_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= ldconfig_t ==============
allow ldconfig_t console_device_t:chr_file read;

Comment 1 Bug Zapper 2009-11-16 11:59:10 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 2 Daniel Walsh 2009-11-16 19:39:21 UTC
Fixed in current release.


Note You need to log in before you can comment on or make changes to this bug.