Bug 542588 - SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor.
Summary: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file...
Keywords:
Status: CLOSED DUPLICATE of bug 541107
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:705c1cc01c0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-30 09:41 UTC by Serge Pavlovsky
Modified: 2009-12-01 20:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-01 20:23:47 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Serge Pavlovsky 2009-11-30 09:41:09 UTC 
\u0421\u0432\u043e\u0434\u043a\u0430:

SELinux is preventing /sbin/consoletype access to a leaked packet_socket file
descriptor.

\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435:

[consoletype \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u0432 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0440\u0435\u0436\u0438\u043c\u0435
(consoletype_t). \u042d\u0442\u043e \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e.]

SELinux denied access requested by the consoletype command. It looks like this
is either a leaked descriptor or consoletype output was redirected to a file it
is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the packet_socket. You should generate a bugzilla on selinux-policy,
and it will get routed to the appropriate package. You can safely ignore this
avc.

\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f:

\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a unconfined_u:system_r:consoletype_t:s0
\u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u041a\u043e\u043d\u0442\u0435\u043a\u0441 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b packet_socket [ packet_socket ]
\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a              consoletype
\u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/sbin/consoletype
\u041f\u043e\u0440\u0442                      <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e>
\u0423\u0437\u0435\u043b                      underdark.thor.od.ua
\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b initscripts-9.02-1
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R 
RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438          selinux-policy-3.6.32-46.fc12
Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430        True
\u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438       targeted
\u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439  Enforcing
\u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f    leaks
\u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430             underdark.thor.od.ua
\u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430            Linux underdark.thor.od.ua
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
\u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 37
\u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u0421\u0431\u0442 28 \u041d\u043e\u044f 2009 18:03:40
\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u041f\u043d\u0434 30 \u041d\u043e\u044f 2009 11:15:46
\u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID         83fd6466-d188-4e27-be84-cb6d329f8755
\u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a       

\u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f 

node=underdark.thor.od.ua type=AVC msg=audit(1259572546.129:27996): avc:  denied  { read write } for  pid=27703 comm="consoletype" path="socket:[320436909]" dev=sockfs ino=320436909 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=packet_socket

node=underdark.thor.od.ua type=SYSCALL msg=audit(1259572546.129:27996): arch=c000003e syscall=59 success=yes exit=0 a0=1a25410 a1=1a25470 a2=1a25200 a3=7fffce7cdb90 items=0 ppid=27702 pid=27703 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=93 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-46.fc12,leaks,consoletype,consoletype_t,unconfined_t,packet_socket,read,write
audit2allow suggests:

#============= consoletype_t ==============
allow consoletype_t unconfined_t:packet_socket { read write };
Comment 1 Daniel Walsh 2009-12-01 20:23:47 UTC 

*** This bug has been marked as a duplicate of bug 541107 ***
Note You need to log in before you can comment on or make changes to this bug.