Sumário: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. Descrição detalhada: [consoletype tem um tipo permissivo (consoletype_t). Esse acesso não foi negado.] SELinux denied access requested by the consoletype command. It looks like this is either a leaked descriptor or consoletype output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the packet_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Permitindo acesso: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Informações adicionais: Contexto de origem system_u:system_r:consoletype_t:s0 Contexto de destino system_u:system_r:pppd_t:s0 Objetos de destino packet_socket [ packet_socket ] Origem consoletype Caminho da origem /sbin/consoletype Porta <Desconhecido> Máquina (removed) Pacotes RPM de origem initscripts-9.02-1 Pacotes RPM de destino RPM da política selinux-policy-3.6.32-46.fc12 Selinux habilitado True Tipo de política targeted Modo reforçado Enforcing Nome do plugin leaks Nome da máquina (removed) Plataforma Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 Contador de alertas 6 Visto pela primeira vez em Ter 24 Nov 2009 18:31:03 BRST Visto pela última vez em Ter 24 Nov 2009 19:42:03 BRST ID local 994a62d2-8e49-46d7-afc0-c44ec2b7315c Números de linha Mensagens de auditoria não p node=(removed) type=AVC msg=audit(1259098923.229:20025): avc: denied { read write } for pid=2458 comm="consoletype" path="socket:[34335]" dev=sockfs ino=34335 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket node=(removed) type=SYSCALL msg=audit(1259098923.229:20025): arch=40000003 syscall=11 success=yes exit=0 a0=9430400 a1=9430460 a2=9428f10 a3=9430460 items=0 ppid=2457 pid=2458 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-46.fc12,leaks,consoletype,consoletype_t,pppd_t,packet_socket,read,write audit2allow suggests: #============= consoletype_t ============== allow consoletype_t pppd_t:packet_socket { read write };
The bug is probably duplicated to #531374. I've not reproduced described issue therefore I hope somebody on CC list will be willing to test this scratch build http://koji.fedoraproject.org/koji/taskinfo?taskID=1796872 and will send me a message about result. Thanks in advance Jiri
*** Bug 541560 has been marked as a duplicate of this bug. ***
*** Bug 542588 has been marked as a duplicate of this bug. ***
*** Bug 543013 has been marked as a duplicate of this bug. ***
*** Bug 543045 has been marked as a duplicate of this bug. ***
im willing to test, but i cant get rpm out of that link
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
Dec 2 00:44:23 underdark adsl-stop: Killing pppd Dec 2 00:44:23 underdark pppd[23695]: Terminating on signal 15 Dec 2 00:44:23 underdark pppd[23695]: Connect time 411.4 minutes. Dec 2 00:44:23 underdark pppd[23695]: Sent 1749502931 bytes, received 1880900092 bytes. Dec 2 00:44:23 underdark adsl-stop: Killing pppoe-connect Dec 2 00:44:24 underdark NET[7256]: /etc/sysconfig/network-scripts/ifdown-post : updated /etc/resolv.conf Dec 2 00:44:24 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755 Dec 2 00:44:25 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755 Dec 2 00:44:25 underdark ntpd[1973]: Deleting interface #14 ppp0, 85.238.107.53#123, interface stats: received=78, sent=78, dropped=0, active_time=24680 secs Dec 2 00:44:25 underdark setroubleshoot: SELinux is preventing /sbin/setfiles access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 3bb2524c-6188-49d6-8d78-7da692d7361f Dec 2 00:44:25 underdark setroubleshoot: SELinux is preventing /sbin/ip access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 97cee9c2-c812-4d2c-8e13-11ed4d21b4b4 Dec 2 00:45:13 underdark dnsmasq[2136]: reading /etc/resolv.conf Dec 2 00:45:13 underdark dnsmasq[2136]: using nameserver 195.138.80.33#53 Dec 2 00:45:14 underdark pppd[7392]: Plugin rp-pppoe.so loaded. Dec 2 00:45:14 underdark pppd[7392]: RP-PPPoE plugin version 3.3 compiled against pppd 2.4.4 Dec 2 00:45:14 underdark pppd[7392]: pppd 2.4.4 started by root, uid 0 Dec 2 00:45:14 underdark pppd[7392]: PPP session is 213 Dec 2 00:45:14 underdark pppd[7392]: Using interface ppp0 Dec 2 00:45:14 underdark pppd[7392]: Connect: ppp0 <--> eth1 Dec 2 00:45:14 underdark pppd[7392]: CHAP authentication succeeded Dec 2 00:45:14 underdark pppd[7392]: CHAP authentication succeeded Dec 2 00:45:14 underdark pppd[7392]: peer from calling number 00:E0:81:34:BC:62 authorized Dec 2 00:45:14 underdark pppd[7392]: local IP address 85.238.107.53 Dec 2 00:45:14 underdark pppd[7392]: remote IP address 195.138.80.168 Dec 2 00:45:14 underdark pppd[7392]: primary DNS address 195.138.80.56 Dec 2 00:45:14 underdark pppd[7392]: secondary DNS address 195.138.80.33 Dec 2 00:45:14 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755 Dec 2 00:45:14 underdark NET[7429]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf Dec 2 00:45:14 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755 Dec 2 00:45:14 underdark setroubleshoot: SELinux is preventing /sbin/ifconfig access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 97cee9c2-c812-4d2c-8e13-11ed4d21b4b4 Dec 2 00:45:15 underdark setroubleshoot: SELinux is preventing /sbin/setfiles access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 3bb2524c-6188-49d6-8d78-7da692d7361f Dec 2 00:45:15 underdark setroubleshoot: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. For complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755 Dec 2 00:45:16 underdark ntpd[1973]: Listening on interface #16 ppp0, 85.238.107.53#123 Enabled
*** Bug 543362 has been marked as a duplicate of this bug. ***
*** Bug 531374 has been marked as a duplicate of this bug. ***
(In reply to comment #8) > Dec 2 00:44:23 underdark adsl-stop: Killing pppd > Dec 2 00:44:23 underdark pppd[23695]: Terminating on signal 15 > .... > /sbin/consoletype access to a leaked packet_socket file descriptor. For > complete SELinux messages. run sealert -l 83fd6466-d188-4e27-be84-cb6d329f8755 > Dec 2 00:45:16 underdark ntpd[1973]: Listening on interface #16 ppp0, > 85.238.107.53#123 Enabled Thank you Serge for your test! Daniel, 1. what do you think about the test with patched ppp (using O_CLOEXEC flag)? 2. I didn't understand your comment #7. Does it mean you have fixed it in selinux-policy? 3. If not, any idea how to detect it? I'm not able to detect it in ppp cos my connection works fine. Jiri
I have removed the transition to consoletype_t which was revealing this and many other leaks. Well their connections would work fine also. SELinux was just closing the leak. Wherever the packet_socket was being created or handed back to ppp, you should execute the fcntl(socket, F_SETFD, FD_CLOEXEC) Call
(In reply to comment #12) > I have removed the transition to consoletype_t which was revealing this and > many other leaks. > > Well their connections would work fine also. SELinux was just closing the > leak. Wherever the packet_socket was being created or handed back to ppp, you > should execute the fcntl(socket, F_SETFD, FD_CLOEXEC) > > Call yes, i've used FD_CLOEXEC in fcntl and also in open functions but as you can see in comment #8 no progress.
What about in socket() and accept. You need to close leaks on socket also.
Created attachment 381310 [details] fd's leak patch Daniel, of course I applied it on file and sockets. I'm sorry I didn't attach my patch immediately. Well, you can review it now. I've overloaded all file opening as well as socket connection creating. But I think file fd's are handled in pppd/main.c - safe_fork() and in other functions closing files due to forking. I see the patch as a something more ... Try to review this. Thanks. Jiri
Looks ok, although some of these are built into glibc. man fopen ... NOTES Glibc Notes ... e (since glibc 2.7) Open the file with the O_CLOEXEC flag. See open(2) for more information.