543872 – SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor.

Bug 543872 - SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor.

Summary: SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:f391c3a93af...
Duplicates (1):	543873 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-12-03 11:53 UTC by Rob Whalley
Modified:	2009-12-16 01:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:	3.6.32-56.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-12-16 01:06:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rob Whalley 2009-12-03 11:53:32 UTC

Summary:

SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0
file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the ntlm_auth command. It looks like this is
either a leaked descriptor or ntlm_auth output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /dev/snd/controlC0. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:sound_device_t:s0
Target Objects                /dev/snd/controlC0 [ chr_file ]
Source                        ntlm_auth
Source Path                   /usr/bin/ntlm_auth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           samba-winbind-3.4.2-47.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-52.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.6-145.fc12.x86_64 #1 SMP Sat
                              Nov 21 15:57:45 EST 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 03 Dec 2009 11:39:33 GMT
Last Seen                     Thu 03 Dec 2009 11:39:33 GMT
Local ID                      936ebae9-ebeb-4288-9a72-7341d88ab0aa
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1259840373.386:25909): avc:  denied  { read write } for  pid=2788 comm="ntlm_auth" path="/dev/snd/controlC0" dev=tmpfs ino=8974 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file

node=(removed) type=AVC msg=audit(1259840373.386:25909): avc:  denied  { read write } for  pid=2788 comm="ntlm_auth" path="socket:[26895]" dev=sockfs ino=26895 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket

node=(removed) type=AVC msg=audit(1259840373.386:25909): avc:  denied  { read } for  pid=2788 comm="ntlm_auth" path="/proc/2363/status" dev=proc ino=31759 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file

node=(removed) type=AVC msg=audit(1259840373.386:25909): avc:  denied  { read write } for  pid=2788 comm="ntlm_auth" path="/dev/nvidiactl" dev=tmpfs ino=12205 scontext=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1259840373.386:25909): arch=40000003 syscall=11 success=yes exit=0 a0=53e51f a1=53e614 a2=ffa482b4 a3=ffa49cd6 items=0 ppid=2783 pid=2788 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="ntlm_auth" exe="/usr/bin/ntlm_auth" subj=unconfined_u:unconfined_r:winbind_helper_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-52.fc12,leaks,ntlm_auth,winbind_helper_t,sound_device_t,chr_file,read,write
audit2allow suggests:

#============= winbind_helper_t ==============
allow winbind_helper_t device_t:chr_file { read write };
allow winbind_helper_t sound_device_t:chr_file { read write };
allow winbind_helper_t unconfined_t:file read;
allow winbind_helper_t unconfined_t:tcp_socket { read write };

Comment 1 Daniel Walsh 2009-12-03 15:04:17 UTC

What tool were you running when you got these AVCs?

Comment 2 Daniel Walsh 2009-12-03 15:04:42 UTC

*** Bug 543873 has been marked as a duplicate of this bug. ***

Comment 3 Rob Whalley 2009-12-04 08:17:41 UTC

This occurred when running version 1.1.33 of Wine, compiled from source with some extra patches (can provide further information on how it was built if required). 
AVC messages were encountered when running the Steam games platform. This message was received when starting the Steam application itself:
SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0
file descriptor.

Message also received when starting game entitled "Mass Effect". Have not checked with other games at this point.

Wine patch for PulseAudio (see: http://art.ified.ca/?page_id=40), also has a patch to fix a mouse issue in Mass Effect (http://bugs.winehq.org/attachment.cgi?id=21554) and a patch to fix Left4dead2 demo (http://bugs.winehq.org/attachment.cgi?id=24845).

What additional information is required?

Comment 4 Daniel Walsh 2009-12-04 13:32:55 UTC

Something strange seems to be happening on your system

 sesearch -A -t winbind_helper_t -p transition
Found 3 semantic av rules:
   allow sysadm_t winbind_helper_t : process { transition signal } ; 
   allow squid_t winbind_helper_t : process { transition signal } ; 
   allow httpd_t winbind_helper_t : process { transition signal } ; 

This means that only squid and httpd are able to transition to winbind_helper_t.  

If you execute id -Z, what does it say?


rpm -q selinux-policy-targeted

Comment 5 Rob Whalley 2009-12-04 17:34:44 UTC

"id -Z" brings back:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

"rpm -q selinux-policy-targeted" brings back:
selinux-policy-targeted-3.6.32-52.fc12.noarch

This is the RPM from updates-testing which I installed by doing "yum update selinux-policy-targeted --enablerepo=updates-testing". 

"sesearch -A -t winbind_helper_t -p transition" brings back:
Found 4 semantic av rules:
   allow squid_t winbind_helper_t : process { transition signal } ; 
   allow sysadm_t winbind_helper_t : process { transition signal } ; 
   allow unconfined_t winbind_helper_t : process { transition signal } ; 
   allow httpd_t winbind_helper_t : process { transition signal } ; 

The only change to SE Linux I have tried is: "setsebool -P mmap_low_allowed 1" - normally I would just disable SE Linux but am trying it in permissive mode to see how I get on with it.

Comment 6 Daniel Walsh 2009-12-05 11:55:16 UTC

These are leaked file descriptors from the application that ended up execing ntlm_auth.  I will remove the transition for now from unconfined_t to winbind_t, which should stop showing these AVC messages.

You can safely ignore these messages.

Fixed in selinux-policy-3.6.32-56.fc12.noarch

Comment 7 Fedora Update System 2009-12-07 22:53:43 UTC

selinux-policy-3.6.32-56.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-56.fc12

Comment 8 Fedora Update System 2009-12-10 04:19:14 UTC

selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12990

Comment 9 Rob Whalley 2009-12-10 08:25:29 UTC

Works perfectly - many thanks for taking the time to put this fix in place

Comment 10 Fedora Update System 2009-12-16 01:04:40 UTC

selinux-policy-3.6.32-56.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.