543045 – SELinux is preventing /sbin/ip access to a leaked packet_socket file descriptor.

Bug 543045 - SELinux is preventing /sbin/ip access to a leaked packet_socket file descriptor.

Summary: SELinux is preventing /sbin/ip access to a leaked packet_socket file descriptor.

Keywords:
Status:	CLOSED DUPLICATE of bug 541107
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:13ce476a3c2...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-12-01 15:37 UTC by Serge Pavlovsky
Modified:	2009-12-01 20:24 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-12-01 20:24:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Serge Pavlovsky 2009-12-01 15:37:33 UTC

\u0421\u0432\u043e\u0434\u043a\u0430:

SELinux is preventing /sbin/ip access to a leaked packet_socket file descriptor.

\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435:

[ip \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u0432 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0440\u0435\u0436\u0438\u043c\u0435 (ifconfig_t).
\u042d\u0442\u043e \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e.]

SELinux denied access requested by the ip command. It looks like this is either
a leaked descriptor or ip output was redirected to a file it is not allowed to
access. Leaks usually can be ignored since SELinux is just closing the leak and
reporting the error. The application does not use the descriptor, so it will run
properly. If this is a redirection, you will not get output in the
packet_socket. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f:

\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a system_u:system_r:ifconfig_t:s0
\u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u041a\u043e\u043d\u0442\u0435\u043a\u0441 system_u:system_r:pppd_t:s0
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b packet_socket [ packet_socket ]
\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a              ip
\u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/sbin/ip
\u041f\u043e\u0440\u0442                      <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e>
\u0423\u0437\u0435\u043b                      underdark.thor.od.ua
\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b iproute-2.6.29-4.fc12
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R 
RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438          selinux-policy-3.6.32-46.fc12
Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430        True
\u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438       targeted
\u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439  Enforcing
\u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f    leaks
\u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430             underdark.thor.od.ua
\u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430            Linux underdark.thor.od.ua
                              2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21
                              15:57:45 EST 2009 x86_64 x86_64
\u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 1
\u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u0412\u0442\u0440 01 \u0414\u0435\u043a 2009 15:14:02
\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u0412\u0442\u0440 01 \u0414\u0435\u043a 2009 15:14:02
\u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID         f1e62805-3513-4974-a32b-df38b20aa9d1
\u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a       

\u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f 

node=underdark.thor.od.ua type=AVC msg=audit(1259673242.792:54721): avc:  denied  { read write } for  pid=3493 comm="ip" path="socket:[11270]" dev=sockfs ino=11270 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket

node=underdark.thor.od.ua type=SYSCALL msg=audit(1259673242.792:54721): arch=c000003e syscall=59 success=yes exit=0 a0=17c2220 a1=17bdc60 a2=17c1800 a3=7fffba084b10 items=0 ppid=3481 pid=3493 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-46.fc12,leaks,ip,ifconfig_t,pppd_t,packet_socket,read,write
audit2allow suggests:

#============= ifconfig_t ==============
allow ifconfig_t pppd_t:packet_socket { read write };

Comment 1 Daniel Walsh 2009-12-01 20:24:35 UTC


*** This bug has been marked as a duplicate of bug 541107 ***

Note You need to log in before you can comment on or make changes to this bug.