541488 – SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked unix_dgram_socket file descriptor.

Bug 541488 - SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked unix_dgram_socket file descriptor.

Summary: SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked unix_dgr...

Keywords:
Status:	CLOSED DUPLICATE of bug 539566
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:8405b550904...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-11-26 03:00 UTC by markhuomian
Modified:	2009-12-11 19:23 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-11-27 13:18:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description markhuomian 2009-11-26 03:00:03 UTC

Summary:

SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked
unix_dgram_socket file descriptor.

Detailed Description:

[abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not
denied.]

SELinux denied access requested by the abrt-pyhook-hel command. It looks like
this is either a leaked descriptor or abrt-pyhook-hel output was redirected to a
file it is not allowed to access. Leaks usually can be ignored since SELinux is
just closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the unix_dgram_socket. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c
                              1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                unix_dgram_socket [ unix_dgram_socket ]
Source                        abrt-pyhook-hel
Source Path                   /usr/bin/abrt-pyhook-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           abrt-addon-python-1.0.0-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-49.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.6-145.fc12.i686.PAE #1 SMP
                              Sat Nov 21 16:12:37 EST 2009 i686 i686
Alert Count                   3
First Seen                    Thu 26 Nov 2009 10:58:26 AM CST
Last Seen                     Thu 26 Nov 2009 10:58:26 AM CST
Local ID                      5256e098-9636-4b11-8a06-e4e4459cbd84
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1259204306.592:55): avc:  denied  { read write } for  pid=6330 comm="abrt-pyhook-hel" path="socket:[65593]" dev=sockfs ino=65593 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

node=(removed) type=AVC msg=audit(1259204306.592:55): avc:  denied  { write } for  pid=6330 comm="abrt-pyhook-hel" path="/var/cache/yum/i386/12/updates-testing/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2" dev=dm-1 ino=18685 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1259204306.592:55): avc:  denied  { read write } for  pid=6330 comm="abrt-pyhook-hel" path="socket:[74146]" dev=sockfs ino=74146 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1259204306.592:55): arch=40000003 syscall=11 success=yes exit=0 a0=9034058 a1=903fb70 a2=bfe5ff54 a3=5 items=0 ppid=26518 pid=6330 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=477 sgid=477 fsgid=477 tty=pts0 ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-49.fc12,leaks,abrt-pyhook-hel,abrt_helper_t,unconfined_t,unix_dgram_socket,read,write
audit2allow suggests:

#============= abrt_helper_t ==============
allow abrt_helper_t rpm_var_cache_t:file write;
allow abrt_helper_t unconfined_t:tcp_socket { read write };
allow abrt_helper_t unconfined_t:unix_dgram_socket { read write };

Comment 1 markhuomian 2009-11-26 03:04:47 UTC

sudo package-cleanup --oldkernels

[OUTPUT]:
http://ftp.jaist.ac.jp/pub/Linux/Fedora/updates/testing/12/i386/repodata/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2: [Errno 14] HTTP Error 404 : http://ftp.jaist.ac.jp/pub/Linux/Fedora/updates/testing/12/i386/repodata/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2 
Trying other mirror.
http://mirror.svk.su/fedora/linux/updates/testing/12/i386/repodata/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2: [Errno 14] HTTP Error 404 : http://mirror.svk.su/fedora/linux/updates/testing/12/i386/repodata/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2 
Trying other mirror.
http://mirror.yandex.ru/fedora/linux/updates/testing/12/i386/repodata/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2: [Errno 14] HTTP Error 404 : http://mirror.yandex.ru/fedora/linux/updates/testing/12/i386/repodata/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2 
Trying other mirror.
Traceback (most recent call last):
  File "/usr/bin/package-cleanup", line 382, in <module>
    util = PackageCleanup()
  File "/usr/bin/package-cleanup", line 58, in __init__
    self.main()
  File "/usr/bin/package-cleanup", line 336, in main
    self.buildTransaction()
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 794, in buildTransaction
    (rescode, restring) = self.resolveDeps()
  File "/usr/lib/python2.6/site-packages/yum/depsolve.py", line 684, in resolveDeps
    if not len(self.tsInfo):
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 729, in <lambda>
    tsInfo = property(fget=lambda self: self._getTsInfo(), 
  File "/usr/lib/python2.6/site-packages/yum/depsolve.py", line 110, in _getTsInfo
    pkgSack = self.pkgSack
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 720, in <lambda>
    pkgSack = property(fget=lambda self: self._getSacks(),
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 549, in _getSacks
    self.repos.populateSack(which=repos)
  File "/usr/lib/python2.6/site-packages/yum/repos.py", line 277, in populateSack
    sack.populate(repo, mdtype, callback, cacheonly)
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 172, in populate
    db_fn = repo._retrieveMD(mydbtype)
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 1553, in _retrieveMD
    size=thisdata.size)
  File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 828, in _getFile
    raise Errors.NoMoreMirrorsRepoError, errstr
yum.Errors.NoMoreMirrorsRepoError: failure: repodata/019f46970910e0b1680f802e174b65a6949916c7f37962e5c36099a705c88b9d-primary.sqlite.bz2 from updates-testing: [Errno 256] No more mirrors to try.

Comment 2 Miroslav Grepl 2009-11-27 13:18:51 UTC


*** This bug has been marked as a duplicate of bug 539566 ***

Note You need to log in before you can comment on or make changes to this bug.