\u0421\u0432\u043e\u0434\u043a\u0430: SELinux is preventing /sbin/ip access to a leaked packet_socket file descriptor. \u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435: [ip \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u0432 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0440\u0435\u0436\u0438\u043c\u0435 (ifconfig_t). \u042d\u0442\u043e \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e.] SELinux denied access requested by the ip command. It looks like this is either a leaked descriptor or ip output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the packet_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. \u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) \u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f: \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a system_u:system_r:ifconfig_t:s0 \u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u041a\u043e\u043d\u0442\u0435\u043a\u0441 system_u:system_r:pppd_t:s0 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b packet_socket [ packet_socket ] \u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a ip \u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/sbin/ip \u041f\u043e\u0440\u0442 <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e> \u0423\u0437\u0435\u043b underdark.thor.od.ua \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b iproute-2.6.29-4.fc12 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 selinux-policy-3.6.32-46.fc12 Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430 True \u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 targeted \u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 Enforcing \u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f leaks \u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430 underdark.thor.od.ua \u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430 Linux underdark.thor.od.ua 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 \u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 1 \u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u0412\u0442\u0440 01 \u0414\u0435\u043a 2009 15:14:02 \u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u0412\u0442\u0440 01 \u0414\u0435\u043a 2009 15:14:02 \u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID f1e62805-3513-4974-a32b-df38b20aa9d1 \u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a \u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f node=underdark.thor.od.ua type=AVC msg=audit(1259673242.792:54721): avc: denied { read write } for pid=3493 comm="ip" path="socket:[11270]" dev=sockfs ino=11270 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket node=underdark.thor.od.ua type=SYSCALL msg=audit(1259673242.792:54721): arch=c000003e syscall=59 success=yes exit=0 a0=17c2220 a1=17bdc60 a2=17c1800 a3=7fffba084b10 items=0 ppid=3481 pid=3493 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-46.fc12,leaks,ip,ifconfig_t,pppd_t,packet_socket,read,write audit2allow suggests: #============= ifconfig_t ============== allow ifconfig_t pppd_t:packet_socket { read write };
*** This bug has been marked as a duplicate of bug 541107 ***