Summary: SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the ntlm_auth command. It looks like this is either a leaked descriptor or ntlm_auth output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /dev/snd/controlC0. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c 0.c1023 Target Context system_u:object_r:sound_device_t:s0 Target Objects /dev/snd/controlC0 [ chr_file ] Source ntlm_auth Source Path /usr/bin/ntlm_auth Port <Unknown> Host (removed) Source RPM Packages samba-winbind-3.4.2-47.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-52.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 Alert Count 4 First Seen Thu 03 Dec 2009 11:39:33 GMT Last Seen Thu 03 Dec 2009 11:39:33 GMT Local ID 936ebae9-ebeb-4288-9a72-7341d88ab0aa Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1259840373.386:25909): avc: denied { read write } for pid=2788 comm="ntlm_auth" path="/dev/snd/controlC0" dev=tmpfs ino=8974 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file node=(removed) type=AVC msg=audit(1259840373.386:25909): avc: denied { read write } for pid=2788 comm="ntlm_auth" path="socket:[26895]" dev=sockfs ino=26895 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1259840373.386:25909): avc: denied { read } for pid=2788 comm="ntlm_auth" path="/proc/2363/status" dev=proc ino=31759 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file node=(removed) type=AVC msg=audit(1259840373.386:25909): avc: denied { read write } for pid=2788 comm="ntlm_auth" path="/dev/nvidiactl" dev=tmpfs ino=12205 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1259840373.386:25909): arch=40000003 syscall=11 success=yes exit=0 a0=53e51f a1=53e614 a2=ffa482b4 a3=ffa49cd6 items=0 ppid=2783 pid=2788 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-52.fc12,leaks,ntlm_auth,winbind_helper_t,sound_device_t,chr_file,read,write audit2allow suggests: #============= winbind_helper_t ============== allow winbind_helper_t device_t:chr_file { read write }; allow winbind_helper_t sound_device_t:chr_file { read write }; allow winbind_helper_t unconfined_t:file read; allow winbind_helper_t unconfined_t:tcp_socket { read write };
What tool were you running when you got these AVCs?
*** Bug 543873 has been marked as a duplicate of this bug. ***
This occurred when running version 1.1.33 of Wine, compiled from source with some extra patches (can provide further information on how it was built if required). AVC messages were encountered when running the Steam games platform. This message was received when starting the Steam application itself: SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor. Message also received when starting game entitled "Mass Effect". Have not checked with other games at this point. Wine patch for PulseAudio (see: http://art.ified.ca/?page_id=40), also has a patch to fix a mouse issue in Mass Effect (http://bugs.winehq.org/attachment.cgi?id=21554) and a patch to fix Left4dead2 demo (http://bugs.winehq.org/attachment.cgi?id=24845). What additional information is required?
Something strange seems to be happening on your system sesearch -A -t winbind_helper_t -p transition Found 3 semantic av rules: allow sysadm_t winbind_helper_t : process { transition signal } ; allow squid_t winbind_helper_t : process { transition signal } ; allow httpd_t winbind_helper_t : process { transition signal } ; This means that only squid and httpd are able to transition to winbind_helper_t. If you execute id -Z, what does it say? rpm -q selinux-policy-targeted
"id -Z" brings back: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 "rpm -q selinux-policy-targeted" brings back: selinux-policy-targeted-3.6.32-52.fc12.noarch This is the RPM from updates-testing which I installed by doing "yum update selinux-policy-targeted --enablerepo=updates-testing". "sesearch -A -t winbind_helper_t -p transition" brings back: Found 4 semantic av rules: allow squid_t winbind_helper_t : process { transition signal } ; allow sysadm_t winbind_helper_t : process { transition signal } ; allow unconfined_t winbind_helper_t : process { transition signal } ; allow httpd_t winbind_helper_t : process { transition signal } ; The only change to SE Linux I have tried is: "setsebool -P mmap_low_allowed 1" - normally I would just disable SE Linux but am trying it in permissive mode to see how I get on with it.
These are leaked file descriptors from the application that ended up execing ntlm_auth. I will remove the transition for now from unconfined_t to winbind_t, which should stop showing these AVC messages. You can safely ignore these messages. Fixed in selinux-policy-3.6.32-56.fc12.noarch
selinux-policy-3.6.32-56.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-56.fc12
selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12990
Works perfectly - many thanks for taking the time to put this fix in place
selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.