Bug 521780 - setroubleshoot: SELinux is preventing restorecon "read write" access to to a leaked file descriptor on socket
Summary: setroubleshoot: SELinux is preventing restorecon "read write" access to ...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:d25c940efd8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-08 09:55 UTC by Matěj Cepl
Modified: 2018-04-11 19:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-09 21:25:33 UTC


Attachments (Terms of Use)

Description Matěj Cepl 2009-09-08 09:55:51 UTC
The following was filed automatically by setroubleshoot:

Souhrn:

SELinux is preventing restorecon "read write" access to to a leaked file
descriptor on socket

Podrobný popis:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the socket. You should generate a bugzilla on selinux-policy, and it
will get routed to the appropriate package. You can safely ignore this avc.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Další informace:

Kontext zdroje                system_u:system_r:setfiles_t:s0-s0:c0.c1023
Kontext cíle                 system_u:system_r:initrc_t:s0-s0:c0.c1023
Objekty cíle                 socket [ unix_dgram_socket ]
Zdroj                         restorecon
Cesta zdroje                  /sbin/setfiles
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          policycoreutils-2.0.71-15.fc12
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.30-4.fc12
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     leaks
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.31-0.204.rc9.fc12.x86_64 #1 SMP
                              Sat Sep 5 20:45:55 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Út 8. září 2009, 11:44:31 CEST
Naposledy viděno             Út 8. září 2009, 11:44:31 CEST
Místní ID                   8b4b5f9b-b43a-4099-af05-86a6856132be
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1252403071.267:747): avc:  denied  { read write } for  pid=28863 comm="restorecon" path="socket:[2270591]" dev=sockfs ino=2270591 scontext=system_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

node=(removed) type=SYSCALL msg=audit(1252403071.267:747): arch=c000003e syscall=59 success=yes exit=0 a0=1fd98f0 a1=1fd8a90 a2=1fd8930 a3=8 items=0 ppid=28862 pid=28863 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t initrc_t:unix_dgram_socket { read write };

Comment 1 Daniel Walsh 2009-09-08 14:38:12 UTC
Any idea which app is execing restorecon? Could abrtd be doing this?

Comment 2 Matěj Cepl 2009-09-09 07:57:24 UTC
No idea, probably a good candidate for INSUFFICIENT_DATA, I am afraid.


Note You need to log in before you can comment on or make changes to this bug.