Description of problem: Summary: SELinux is preventing /sbin/modprobe access to a leaked unix_stream_socket file descriptor. Detailed Description: [modprobe has a permissive type (insmod_t). This access was not denied.] SELinux denied access requested by the modprobe command. It looks like this is either a leaked descriptor or modprobe output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the unix_stream_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:insmod_t:s0 Target Context system_u:system_r:firstboot_t:s0 Target Objects unix_stream_socket [ unix_stream_socket ] Source modprobe Source Path /sbin/modprobe Port <Unknown> Host jabmini12.lan Source RPM Packages module-init-tools-3.9-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.31-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name leaks Host Name jabmini12.lan Platform Linux jabmini12.lan 2.6.31-2.fc12.i686 #1 SMP Thu Sep 10 00:41:03 EDT 2009 i686 i686 Alert Count 1 First Seen Thu 17 Sep 2009 17:03:08 BST Last Seen Thu 17 Sep 2009 17:03:08 BST Local ID bec49de5-3744-4adb-8f3a-47acaf4e7d87 Line Numbers Raw Audit Messages node=jabmini12.lan type=AVC msg=audit(1253203388.742:17): avc: denied { read write } for pid=1361 comm="modprobe" path="socket:[11851]" dev=sockfs ino=11851 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:firstboot_t:s0 tclass=unix_stream_socket node=jabmini12.lan type=SYSCALL msg=audit(1253203388.742:17): arch=40000003 syscall=11 success=yes exit=0 a0=bf96784c a1=bf96680c a2=bf967ec4 a3=2 items=0 ppid=1359 pid=1361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty6 ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0 key=(null)
It is actually firstboot that is leaking the descriptor.
firstboot never does anything with modprobe/insmod, and I don't see any information in this report that might help me identify what's going on besides that there's a socket involved. Is there more information that I can get somehow?
Hell no, welcome to my nightmare. I will add firstboot_dontaudit_rw_stream_sockets(insmod_t) Since the code currently has firstboot_dontaudit_rw_pipes(insmod_t) Fixed in selinux-policy-3.6.32-3.fc12.noarch