Summary: SELinux is preventing /sbin/rpc.statd access to a leaked /tmp/tmp9IF8MN file descriptor. Detailed Description: [rpc.idmapd has a permissive type (rpcd_t). This access was not denied.] SELinux denied access requested by the rpc.statd command. It looks like this is either a leaked descriptor or rpc.statd output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmp9IF8MN. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:rpcd_t:s0 Target Context unconfined_u:object_r:rpm_tmp_t:s0 Target Objects /tmp/tmp9IF8MN [ file ] Source rpc.idmapd Source Path /usr/sbin/rpc.idmapd Port <Unknown> Host (removed) Source RPM Packages nfs-utils-1.2.1-14.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.8-2.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.33-0.20.rc5.git0.fc13.x86_64 #1 SMP Fri Jan 22 19:49:17 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Mon 25 Jan 2010 06:34:50 AM PST Last Seen Mon 25 Jan 2010 06:34:51 AM PST Local ID 6931cd5e-c888-43eb-bfca-de90df84d18f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1264430091.330:28): avc: denied { read append } for pid=2933 comm="rpc.statd" path="/tmp/tmp9IF8MN" dev=dm-0 ino=432 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1264430091.330:28): arch=c000003e syscall=59 success=yes exit=0 a0=28bd8d0 a1=28bdb50 a2=28bc920 a3=7fff07d44c30 items=0 ppid=2932 pid=2933 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpc.statd" exe="/sbin/rpc.statd" subj=unconfined_u:system_r:rpcd_t:s0 key=(null) Hash String generated from selinux-policy-3.7.8-2.fc13,leaks,rpc.idmapd,rpcd_t,rpm_tmp_t,file,read,append audit2allow suggests: #============= rpcd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow rpcd_t rpm_tmp_t:file { read append };
Got the above during today's updates: Jan 25 06:34:51 tlondon rpc.statd[1263]: Caught signal 15, un-registering and exiting Jan 25 06:34:51 tlondon rpc.statd[2934]: Version 1.2.1 starting Jan 25 06:34:51 tlondon sm-notify[2935]: Version 1.2.1 starting Jan 25 06:34:53 tlondon setroubleshoot: SELinux is preventing /usr/sbin/rpc.idmapd access to a leaked /tmp/tmp9IF8MN file descriptor. For complete SELinux messages. run sealert -l 6931cd5e-c888-43eb-bfca-de90df84d18f Jan 25 06:34:53 tlondon setroubleshoot: SELinux is preventing /sbin/rpc.statd access to a leaked /tmp/tmp9IF8MN file descriptor. For complete SELinux messages. run sealert -l 6931cd5e-c888-43eb-bfca-de90df84d18f Believe it was generated during yum's "cleanup" phase. No console messages, but I list them all for completeness: Cleanup : poppler-glib-0.12.3-6.fc13.x86_64 66/130 Cleanup : poppler-utils-0.12.3-6.fc13.x86_64 67/130 Cleanup : gcc-c++-4.4.3-1.fc13.x86_64 68/130 Cleanup : poppler-0.12.3-6.fc13.x86_64 69/130 Cleanup : gcc-gfortran-4.4.3-1.fc13.x86_64 70/130 Cleanup : gcc-4.4.3-1.fc13.x86_64 71/130 Cleanup : transmission-gtk-1.82-1.fc13.x86_64 72/130 Cleanup : ncurses-5.7-5.20100116.fc13.x86_64 73/130 Cleanup : js-1.70-8.fc12.x86_64 74/130 Cleanup : libgcj-4.4.3-1.fc13.x86_64 75/130 Cleanup : gdb-7.0.50.20100121-6.fc13.x86_64 76/130 Cleanup : ghostscript-cups-8.70-5.fc13.x86_64 77/130 Cleanup : ghostscript-8.70-5.fc13.x86_64 78/130 Cleanup : transmission-common-1.82-1.fc13.x86_64 79/130 Cleanup : cpp-4.4.3-1.fc13.x86_64 80/130 Cleanup : libgomp-4.4.3-1.fc13.x86_64 81/130 Cleanup : libgfortran-4.4.3-1.fc13.x86_64 82/130 Cleanup : libgphoto2-2.4.7-3.fc13.x86_64 83/130 Cleanup : 1:nfs-utils-1.2.1-13.fc13.x86_64 84/130 Cleanup : ibus-chewing-1.2.0.20091211-1.fc13.x86_64 85/130 Cleanup : xorg-x11-drv-ati-6.13.0-0.19.20091221git4b05c47ac. 86/130 Cleanup : planner-0.14.4-17.fc13.x86_64 87/130 Cleanup : boost-devel-1.41.0-3.fc13.x86_64 88/130 Cleanup : boost-1.41.0-3.fc13.x86_64 89/130 Cleanup : boost-wave-1.41.0-3.fc13.x86_64 90/130 Cleanup : boost-graph-1.41.0-3.fc13.x86_64 91/130 Cleanup : boost-mpi-python-1.41.0-3.fc13.x86_64 92/130 Cleanup : boost-mpi-1.41.0-3.fc13.x86_64 93/130 Cleanup : boost-filesystem-1.41.0-3.fc13.x86_64 94/130 Cleanup : mesa-libGLU-devel-7.8-0.10.fc13.x86_64 95/130 Cleanup : mesa-libGLU-7.8-0.10.fc13.x86_64 96/130 Cleanup : boost-system-1.41.0-3.fc13.x86_64 97/130 Cleanup : boost-serialization-1.41.0-3.fc13.x86_64 98/130 Cleanup : boost-python-1.41.0-3.fc13.x86_64 99/130 Cleanup : boost-regex-1.41.0-3.fc13.x86_64 100/130 Cleanup : boost-date-time-1.41.0-3.fc13.x86_64 101/130 Cleanup : boost-thread-1.41.0-3.fc13.x86_64 102/130 Cleanup : boost-iostreams-1.41.0-3.fc13.x86_64 103/130 Cleanup : boost-program-options-1.41.0-3.fc13.x86_64 104/130 Cleanup : boost-signals-1.41.0-3.fc13.x86_64 105/130 Cleanup : boost-test-1.41.0-3.fc13.x86_64 106/130 Cleanup : pciutils-devel-3.1.4-6.fc13.x86_64 107/130 Cleanup : file-devel-5.03-18.fc13.x86_64 108/130 Cleanup : file-5.03-18.fc13.x86_64 109/130 Cleanup : pciutils-3.1.4-6.fc13.x86_64 110/130 Cleanup : mesa-libGL-devel-7.8-0.10.fc13.x86_64 111/130 Cleanup : mesa-libGL-7.8-0.10.fc13.x86_64 112/130 Cleanup : libstdc++-devel-4.4.3-1.fc13.x86_64 113/130 Cleanup : libstdc++-4.4.3-1.fc13.x86_64 114/130 Cleanup : netpbm-devel-10.47.08-1.fc13.x86_64 115/130 Cleanup : ncurses-devel-5.7-5.20100116.fc13.x86_64 116/130 Cleanup : ncurses-libs-5.7-5.20100116.fc13.x86_64 117/130 Cleanup : evolution-help-2.29.5-2.fc13.noarch 118/130 Cleanup : evolution-2.29.5-2.fc13.x86_64 119/130 Cleanup : evolution-data-server-devel-2.29.5-1.fc13.x86_64 120/130 Cleanup : evolution-data-server-2.29.5-1.fc13.x86_64 121/130 Cleanup : gtkhtml3-3.29.5-1.fc13.x86_64 122/130 Cleanup : netpbm-10.47.08-1.fc13.x86_64 123/130 Cleanup : libgcc-4.4.3-1.fc13.x86_64 124/130 Cleanup : mesa-dri-drivers-7.8-0.10.fc13.x86_64 125/130 Cleanup : pciutils-libs-3.1.4-6.fc13.x86_64 126/130 Cleanup : file-libs-5.03-18.fc13.x86_64 127/130 Cleanup : ncurses-base-5.7-5.20100116.fc13.x86_64 128/130 Cleanup : boost-math-1.41.0-3.fc13.x86_64 129/130 Cleanup : evolution-data-server-doc-2.29.5-1.fc13.noarch 130/130
Had you turned off the dontaudit rules?
Don't believe so. (You mean with an explicit 'semodule -DB'? No.)
#============= rpcd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow rpcd_t rpm_tmp_t:file { read append }; Only way this would happen is if you turned off the rules. Could you execute semodule -B and I will pretend this just did not happen. :^(
Done: [root@tlondon ~]# semodule -B [root@tlondon ~]# I'll monitor for a day or so, and let you know......
I just got this again while doing some more updates from koji (as well as another AVC for 'groupadd'). I have NOT run 'semodule -DB', certainly not since the 'semodule -B' above. Jan 25 15:56:53 tlondon dbus: Reloaded configuration Jan 25 15:56:54 tlondon yum: Updated: avahi-0.6.25-6.fc13.x86_64 Jan 25 15:56:55 tlondon yum: Updated: avahi-glib-0.6.25-6.fc13.x86_64 Jan 25 15:56:56 tlondon yum: Updated: nss-3.12.5-9.fc13.x86_64 Jan 25 15:56:57 tlondon setroubleshoot: SELinux is preventing /usr/sbin/groupadd access to a leaked /tmp/tmp3Eats4 file descriptor. For complete SELinux messages. run sealert -l f185e48e-fee5-4bb3-9b54-8743365b7114 Jan 25 15:56:57 tlondon setroubleshoot: SELinux is preventing /usr/sbin/groupadd access to a leaked /tmp/tmp3Eats4 file descriptor. For complete SELinux messages. run sealert -l f185e48e-fee5-4bb3-9b54-8743365b7114 Jan 25 15:56:57 tlondon yum: Updated: nss-sysinit-3.12.5-9.fc13.x86_64 Jan 25 15:56:58 tlondon yum: Updated: nss-tools-3.12.5-9.fc13.x86_64 Jan 25 15:56:59 tlondon yum: Updated: avahi-ui-0.6.25-6.fc13.x86_64 Jan 25 15:57:00 tlondon yum: Updated: avahi-gobject-0.6.25-6.fc13.x86_64 Jan 25 15:57:08 tlondon yum: Updated: subversion-1.6.6-5.fc13.x86_64 Jan 25 15:57:09 tlondon avahi-daemon[1231]: Files changed, reloading. Jan 25 15:57:09 tlondon avahi-daemon[1231]: Files changed, reloading. Jan 25 15:57:10 tlondon yum: Updated: avahi-autoipd-0.6.25-6.fc13.x86_64 Jan 25 15:57:12 tlondon setroubleshoot: SELinux is preventing /usr/sbin/groupadd access to a leaked /tmp/tmp3Eats4 file descriptor. For complete SELinux messages. run sealert -l f185e48e-fee5-4bb3-9b54-8743365b7114 Jan 25 15:57:12 tlondon setroubleshoot: SELinux is preventing /usr/sbin/groupadd access to a leaked /tmp/tmp3Eats4 file descriptor. For complete SELinux messages. run sealert -l f185e48e-fee5-4bb3-9b54-8743365b7114 Jan 25 15:57:17 tlondon yum: Updated: 1:nfs-utils-1.2.1-15.fc13.x86_64 Jan 25 15:57:33 tlondon yum: Updated: empathy-2.29.6-1.fc13.x86_64 Jan 25 15:57:34 tlondon yum: Updated: nss-devel-3.12.5-9.fc13.x86_64 Jan 25 15:57:35 tlondon yum: Updated: python-devel-2.6.4-10.fc13.x86_64 Jan 25 15:57:46 tlondon avahi-daemon[1231]: Got SIGTERM, quitting. Jan 25 15:57:46 tlondon avahi-daemon[1231]: Leaving mDNS multicast group on interface virbr0.IPv4 with address 192.168.122.1. Jan 25 15:57:46 tlondon avahi-daemon[1231]: Leaving mDNS multicast group on interface eth0.IPv4 with address 10.11.16.112. Jan 25 15:57:46 tlondon seahorse-daemon[1974]: failure communicating with to avahi: Daemon connection failed Jan 25 15:57:46 tlondon avahi-daemon[5430]: Found user 'avahi' (UID 498) and group 'avahi' (GID 491). Jan 25 15:57:46 tlondon avahi-daemon[5430]: Successfully dropped root privileges. Jan 25 15:57:46 tlondon avahi-daemon[5430]: avahi-daemon 0.6.25 starting up. Jan 25 15:57:46 tlondon avahi-daemon[5430]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns! Jan 25 15:57:46 tlondon avahi-daemon[5430]: Successfully called chroot(). Jan 25 15:57:46 tlondon avahi-daemon[5430]: Successfully dropped remaining capabilities. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Loading service file /services/ssh.service. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Loading service file /services/udisks.service. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Joining mDNS multicast group on interface virbr0.IPv4 with address 192.168.122.1. Jan 25 15:57:46 tlondon avahi-daemon[5430]: New relevant interface virbr0.IPv4 for mDNS. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Joining mDNS multicast group on interface eth0.IPv4 with address 10.11.16.112. Jan 25 15:57:46 tlondon avahi-daemon[5430]: New relevant interface eth0.IPv4 for mDNS. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Network interface enumeration completed. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Registering new address record for 192.168.122.1 on virbr0.IPv4. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Registering new address record for fe80::221:5dff:feac:c692 on wlan0.*. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Registering new address record for fe80::21f:16ff:fe0b:56a8 on eth0.*. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Registering new address record for 10.11.16.112 on eth0.IPv4. Jan 25 15:57:46 tlondon avahi-daemon[5430]: Registering HINFO record with values 'X86_64'/'LINUX'. Jan 25 15:57:47 tlondon avahi-daemon[5430]: Server startup complete. Host name is tlondon.local. Local service cookie is 421754251. Jan 25 15:57:48 tlondon avahi-daemon[5430]: Service "tlondon" (/services/udisks.service) successfully established. Jan 25 15:57:48 tlondon avahi-daemon[5430]: Service "tlondon" (/services/ssh.service) successfully established. Jan 25 15:57:48 tlondon setroubleshoot: SELinux is preventing /usr/sbin/rpc.idmapd access to a leaked /tmp/tmp3Eats4 file descriptor. For complete SELinux messages. run sealert -l 35933215-8d5b-4075-8140-0c6df7d72a41 Jan 25 15:57:48 tlondon rpc.statd[1245]: Caught signal 15, un-registering and exiting Jan 25 15:57:50 tlondon rpc.statd[5499]: Version 1.2.1 starting Jan 25 15:57:50 tlondon setroubleshoot: SELinux is preventing /sbin/rpc.statd access to a leaked /tmp/tmp3Eats4 file descriptor. For complete SELinux messages. run sealert -l 35933215-8d5b-4075-8140-0c6df7d72a41 Jan 25 15:57:50 tlondon sm-notify[5500]: Version 1.2.1 starting [root@tlondon ~]#
Here is what sealert says for the rpc.statd AVC: Summary: SELinux is preventing /sbin/rpc.statd access to a leaked /tmp/tmp3Eats4 file descriptor. Detailed Description: [rpc.idmapd has a permissive type (rpcd_t). This access was not denied.] SELinux denied access requested by the rpc.statd command. It looks like this is either a leaked descriptor or rpc.statd output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmp3Eats4. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:rpcd_t:s0 Target Context unconfined_u:object_r:rpm_tmp_t:s0 Target Objects /tmp/tmp3Eats4 [ file ] Source rpc.idmapd Source Path /usr/sbin/rpc.idmapd Port <Unknown> Host tlondon.innopath.com Source RPM Packages nfs-utils-1.2.1-14.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.8-2.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name tlondon.innopath.com Platform Linux tlondon.innopath.com 2.6.33-0.20.rc5.git0.fc13.x86_64 #1 SMP Fri Jan 22 19:49:17 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Mon 25 Jan 2010 03:57:48 PM PST Last Seen Mon 25 Jan 2010 03:57:50 PM PST Local ID 35933215-8d5b-4075-8140-0c6df7d72a41 Line Numbers Raw Audit Messages node=tlondon.innopath.com type=AVC msg=audit(1264463870.98:64): avc: denied { read append } for pid=5498 comm="rpc.statd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file node=tlondon.innopath.com type=SYSCALL msg=audit(1264463870.98:64): arch=c000003e syscall=59 success=yes exit=0 a0=c658d0 a1=c65b50 a2=c64920 a3=10 items=0 ppid=5497 pid=5498 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rpc.statd" exe="/sbin/rpc.statd" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
Here is what sealert says about the groupadd AVC: Summary: SELinux is preventing /usr/sbin/groupadd access to a leaked /tmp/tmp3Eats4 file descriptor. Detailed Description: [groupadd has a permissive type (groupadd_t). This access was not denied.] SELinux denied access requested by the groupadd command. It looks like this is either a leaked descriptor or groupadd output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmp3Eats4. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:rpm_tmp_t:s0 Target Objects /tmp/tmp3Eats4 [ file ] Source groupadd Source Path /usr/sbin/groupadd Port <Unknown> Host tlondon.innopath.com Source RPM Packages shadow-utils-4.1.4.2-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.8-2.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name tlondon.innopath.com Platform Linux tlondon.innopath.com 2.6.33-0.20.rc5.git0.fc13.x86_64 #1 SMP Fri Jan 22 19:49:17 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Mon 25 Jan 2010 03:56:50 PM PST Last Seen Mon 25 Jan 2010 03:57:09 PM PST Local ID f185e48e-fee5-4bb3-9b54-8743365b7114 Line Numbers Raw Audit Messages node=tlondon.innopath.com type=AVC msg=audit(1264463829.289:60): avc: denied { read append } for pid=5361 comm="groupadd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file node=tlondon.innopath.com type=AVC msg=audit(1264463829.289:60): avc: denied { read append } for pid=5361 comm="groupadd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file node=tlondon.innopath.com type=SYSCALL msg=audit(1264463829.289:60): arch=c000003e syscall=59 success=yes exit=0 a0=a1d030 a1=a1c0d0 a2=a1b160 a3=28 items=0 ppid=5360 pid=5361 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
If you run those avcs through audit2why, what does it say?
[root@tlondon ~]# audit2why </tmp/avc-rpc.txt type=AVC msg=audit(1264463868.411:63): avc: denied { read append } for pid=5463 comm="rpc.idmapd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Was caused by: Unknown - should be dontaudit'd by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1264463870.098:64): avc: denied { read append } for pid=5498 comm="rpc.statd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Was caused by: Unknown - should be dontaudit'd by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. [root@tlondon ~]# And [root@tlondon ~]# audit2why </tmp/avc-groupadd.txt type=AVC msg=audit(1264463810.198:59): avc: denied { read append } for pid=5335 comm="groupadd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Was caused by: Unknown - should be dontaudit'd by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1264463810.198:59): avc: denied { read append } for pid=5335 comm="groupadd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Was caused by: Unknown - should be dontaudit'd by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1264463829.289:60): avc: denied { read append } for pid=5361 comm="groupadd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Was caused by: Unknown - should be dontaudit'd by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1264463829.289:60): avc: denied { read append } for pid=5361 comm="groupadd" path="/tmp/tmp3Eats4" dev=dm-0 ino=1102 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Was caused by: Unknown - should be dontaudit'd by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. [root@tlondon ~]#
So these must of been avcs that were created while the machine was in disabled dontaudit rules. I am about to ship a version of setroubleshoot that will drop all avc messages if the dontaudit rules are disabled.
Just curious.... What step(s) of updating packages would disable dontaudit rules?
None. That is why this is very strange. If it happens again, you can check for the disable_dontaudit flag in /etc/selinux/targeted/modules/active directory.
Will do. Here is that directory now: [root@tlondon active]# ls /etc/selinux/targeted/modules/active base.pp file_contexts.homedirs modules seusers commit_num file_contexts.template netfilter_contexts seusers.final file_contexts homedir_template policy.kern users_extra [root@tlondon active]# Where would I look for disable_dontaudit flag?
OK. Happened again: Summary: SELinux is preventing /usr/sbin/rpc.idmapd access to a leaked /tmp/tmpIWhpm3 file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the rpc.idmapd command. It looks like this is either a leaked descriptor or rpc.idmapd output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmpIWhpm3. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:rpcd_t:s0 Target Context unconfined_u:object_r:rpm_tmp_t:s0 Target Objects /tmp/tmpIWhpm3 [ file ] Source rpc.idmapd Source Path /usr/sbin/rpc.idmapd Port <Unknown> Host tlondon.innopath.com Source RPM Packages nfs-utils-1.2.1-16.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.8-3.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name tlondon.innopath.com Platform Linux tlondon.innopath.com 2.6.33-0.23.rc5.git1.fc13.x86_64 #1 SMP Mon Jan 25 22:04:05 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Wed 27 Jan 2010 01:46:10 PM PST Last Seen Wed 27 Jan 2010 01:46:10 PM PST Local ID 97f272f9-49bc-40a8-941a-6620afe2bbef Line Numbers Raw Audit Messages node=tlondon.innopath.com type=AVC msg=audit(1264628770.913:54): avc: denied { read append } for pid=4521 comm="rpc.idmapd" path="/tmp/tmpIWhpm3" dev=dm-0 ino=1202 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file node=tlondon.innopath.com type=SYSCALL msg=audit(1264628770.913:54): arch=c000003e syscall=59 success=yes exit=0 a0=27c58d0 a1=27c5b50 a2=27c4920 a3=10 items=0 ppid=4520 pid=4521 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rpc.idmapd" exe="/usr/sbin/rpc.idmapd" subj=unconfined_u:system_r:rpcd_t:s0 key=(null) I was running "yum -x mesa\* update" from koji, and updating a bunch of qemu packages and nfs-utils: Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : 2:qemu-common-0.12.2-4.fc13.x86_64 1/10 Updating : 2:qemu-system-x86-0.12.2-4.fc13.x86_64 2/10 Updating : 2:qemu-img-0.12.2-4.fc13.x86_64 3/10 Updating : 1:nfs-utils-1.2.1-16.fc13.x86_64 4/10 Updating : 2:qemu-kvm-0.12.2-4.fc13.x86_64 5/10 Cleanup : 2:qemu-kvm-0.12.2-1.fc13.x86_64 6/10 Cleanup : 2:qemu-system-x86-0.12.2-1.fc13.x86_64 7/10 Cleanup : 2:qemu-common-0.12.2-1.fc13.x86_64 8/10 Cleanup : 2:qemu-img-0.12.2-1.fc13.x86_64 9/10 Cleanup : 1:nfs-utils-1.2.1-15.fc13.x86_64 10/10 Updated: nfs-utils.x86_64 1:1.2.1-16.fc13 qemu-common.x86_64 2:0.12.2-4.fc13 qemu-img.x86_64 2:0.12.2-4.fc13 qemu-kvm.x86_64 2:0.12.2-4.fc13 qemu-system-x86.x86_64 2:0.12.2-4.fc13 Complete! [root@tlondon ~]# Here is what /var/log/messages says: Jan 27 13:45:51 tlondon yum: Updated: 2:qemu-common-0.12.2-4.fc13.x86_64 Jan 27 13:45:52 tlondon udevd[462]: BUS= will be removed in a future udev version, please use SUBSYSTEM= to match the event device, or SUBSYSTEMS= to match a parent device, in /lib/udev/rules.d/40-redhat.rules:8 Jan 27 13:45:52 tlondon udevd[462]: BUS= will be removed in a future udev version, please use SUBSYSTEM= to match the event device, or SUBSYSTEMS= to match a parent device, in /lib/udev/rules.d/40-redhat.rules:10 Jan 27 13:45:52 tlondon udevd[462]: BUS= will be removed in a future udev version, please use SUBSYSTEM= to match the event device, or SUBSYSTEMS= to match a parent device, in /lib/udev/rules.d/40-redhat.rules:12 Jan 27 13:45:52 tlondon udevd[462]: SYSFS{}= will be removed in a future udev version, please use ATTR{}= to match the event device, or ATTRS{}= to match a parent device, in /etc/udev/rules.d/56-hpmud_support.rules:10 Jan 27 13:45:53 tlondon udevd[462]: BUS= will be removed in a future udev version, please use SUBSYSTEM= to match the event device, or SUBSYSTEMS= to match a parent device, in /etc/udev/rules.d/85-pcscd_egate.rules:3 Jan 27 13:45:53 tlondon udevd[462]: SYSFS{}= will be removed in a future udev version, please use ATTR{}= to match the event device, or ATTRS{}= to match a parent device, in /etc/udev/rules.d/85-pcscd_egate.rules:3 Jan 27 13:45:53 tlondon udevd[462]: BUS= will be removed in a future udev version, please use SUBSYSTEM= to match the event device, or SUBSYSTEMS= to match a parent device, in /etc/udev/rules.d/85-pcscd_egate.rules:5 Jan 27 13:45:53 tlondon udevd[462]: SYSFS{}= will be removed in a future udev version, please use ATTR{}= to match the event device, or ATTRS{}= to match a parent device, in /lib/udev/rules.d/88-clock.rules:1 Jan 27 13:45:53 tlondon udevd[462]: SYSFS{}= will be removed in a future udev version, please use ATTR{}= to match the event device, or ATTRS{}= to match a parent device, in /lib/udev/rules.d/88-clock.rules:2 Jan 27 13:45:54 tlondon yum: Updated: 2:qemu-system-x86-0.12.2-4.fc13.x86_64 Jan 27 13:45:55 tlondon yum: Updated: 2:qemu-img-0.12.2-4.fc13.x86_64 Jan 27 13:46:02 tlondon yum: Updated: 1:nfs-utils-1.2.1-16.fc13.x86_64 Jan 27 13:46:03 tlondon yum: Updated: 2:qemu-kvm-0.12.2-4.fc13.x86_64 Jan 27 13:46:12 tlondon rpc.statd[1239]: Caught signal 15, un-registering and exiting Jan 27 13:46:13 tlondon rpc.statd[4559]: Version 1.2.1 starting Jan 27 13:46:13 tlondon sm-notify[4560]: Version 1.2.1 starting Jan 27 13:46:21 tlondon setroubleshoot: SELinux is preventing /usr/sbin/rpc.idmapd access to a leaked /tmp/tmpIWhpm3 file descriptor. For complete SELinux messages. run sealert -l 97f272f9-49bc-40a8-941a-6620afe2bbef Here is what 'ls /etc/selinux/targeted/modules/active' says: [root@tlondon ~]# ls /etc/selinux/targeted/modules/active base.pp file_contexts.homedirs modules seusers commit_num file_contexts.template netfilter_contexts seusers.final file_contexts homedir_template policy.kern users_extra [root@tlondon ~]#
Could this be something screwy in the postinstall script for nfs-utils? postinstall scriptlet (using /bin/sh): /sbin/chkconfig --add nfs /sbin/chkconfig --add nfslock /sbin/chkconfig --add rpcidmapd /sbin/chkconfig --add rpcgssd /sbin/chkconfig --add rpcsvcgssd # Make sure statd used the correct uid/gid. chown -R rpcuser:rpcuser /var/lib/nfs/statd
I don't think so. Is this still happening? Dontaudit rules being ignored?
Hmm..tried updating to latest policy there to look at it, and got this: Installing : selinux-policy-3.7.8-2.fc13.noarch 1/4 Installing : selinux-policy-targeted-3.7.8-2.fc13.noarch 2/4 semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == target_type->s.value' failed. /var/tmp/rpm-tmp.9Pc6WC: line 21: 3789 Aborted (core dumped) semodule -b base.pp.bz2 -i $packages -s targeted
Created attachment 387340 [details] text output from sealert showing AVCs Yeah, got it again just now for groupadd, semodule, load_policy, and setfiles audit2allow says: [root@tlondon ~]# audit2allow -al #============= load_policy_t ============== #!!!! This avc has a dontaudit rule in the current policy allow load_policy_t rpm_tmp_t:file { read append }; #============= setfiles_t ============== #!!!! This avc has a dontaudit rule in the current policy allow setfiles_t rpm_tmp_t:file { read append }; [root@tlondon ~]# "boot2allow" (my local script that tried harder to include AVCs from /var/log/messages) says (the hald_t AVC was "fixed" in the policy being loaded): [root@tlondon ~]# boot2allow #============= groupadd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow groupadd_t rpm_tmp_t:file { read append }; #============= hald_t ============== #!!!! This avc is allowed in the current policy allow hald_t self:process getsched; #============= load_policy_t ============== #!!!! This avc has a dontaudit rule in the current policy allow load_policy_t rpm_tmp_t:file { read append }; #============= semanage_t ============== allow semanage_t rpm_tmp_t:file append; #============= setfiles_t ============== #!!!! This avc has a dontaudit rule in the current policy allow setfiles_t rpm_tmp_t:file { read append }; #============= vbetool_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow vbetool_t self:memprotect mmap_zero; [root@tlondon ~]# Here are the lines from /var/log/messages: Jan 28 06:17:58 tlondon yum: Updated: 1:dbus-libs-1.2.16-11.fc13.x86_64 Jan 28 06:18:01 tlondon setroubleshoot: SELinux is preventing /usr/sbin/groupadd access to a leaked /tmp/tmpUCL810 file descriptor. For complete SELinux messages. run sealert -l be7d3454-df3e-4e15-b198-158584d294db Jan 28 06:18:02 tlondon yum: Updated: 1:dbus-1.2.16-11.fc13.x86_64 Jan 28 06:18:02 tlondon yum: Updated: libgcc-4.4.3-4.fc13.x86_64 Jan 28 06:18:03 tlondon yum: Updated: libstdc++-4.4.3-4.fc13.x86_64 Jan 28 06:18:04 tlondon yum: Updated: dbus-glib-0.84-1.fc13.x86_64 Jan 28 06:18:08 tlondon yum: Updated: policycoreutils-2.0.78-14.fc13.x86_64 Jan 28 06:18:09 tlondon yum: Installed: report-0.6-1.fc13.x86_64 Jan 28 06:18:10 tlondon yum: Updated: libgomp-4.4.3-4.fc13.x86_64 Jan 28 06:18:11 tlondon yum: Updated: libgfortran-4.4.3-4.fc13.x86_64 Jan 28 06:18:13 tlondon yum: Updated: cpp-4.4.3-4.fc13.x86_64 Jan 28 06:18:16 tlondon yum: Updated: gcc-4.4.3-4.fc13.x86_64 Jan 28 06:18:17 tlondon yum: Updated: libtasn1-2.4-2.fc13.x86_64 Jan 28 06:18:18 tlondon yum: Updated: 32:bind-libs-9.7.0-0.13.rc2.fc13.x86_64 Jan 28 06:18:19 tlondon yum: Updated: 32:bind-utils-9.7.0-0.13.rc2.fc13.x86_64 Jan 28 06:18:21 tlondon yum: Updated: gcc-gfortran-4.4.3-4.fc13.x86_64 Jan 28 06:18:23 tlondon yum: Updated: libcdio-0.82-2.fc13.x86_64 Jan 28 06:18:29 tlondon yum: Updated: libgcj-4.4.3-4.fc13.x86_64 Jan 28 06:18:29 tlondon yum: Updated: 1:dbus-x11-1.2.16-11.fc13.x86_64 Jan 28 06:18:31 tlondon yum: Updated: psacct-6.5.1-5.fc13.x86_64 Jan 28 06:18:32 tlondon yum: Updated: 1:readahead-1.5.4-3.fc13.x86_64 Jan 28 06:18:36 tlondon ntpd[1493]: synchronized to 198.186.191.229, stratum 2 Jan 28 06:18:46 tlondon yum: Updated: selinux-policy-3.7.8-4.fc13.noarch Jan 28 06:19:08 tlondon yum: Updated: policycoreutils-python-2.0.78-14.fc13.x86_64 Jan 28 06:19:12 tlondon yum: Updated: setroubleshoot-plugins-2.1.38-1.fc13.noarch Jan 28 06:19:12 tlondon dbus: Reloaded configuration Jan 28 06:19:12 tlondon dbus: Reloaded configuration Jan 28 06:19:14 tlondon auditd[1164]: config change requested by pid=2638 auid=500 subj=unconfined_u:system_r:initrc_t:s0 Jan 28 06:19:14 tlondon auditd[1164]: audit(1264688354.270:6799) config changed, auid=500 pid=2638 subj=unconfined_u:system_r:initrc_t:s0 res=success Jan 28 06:19:14 tlondon yum: Updated: setroubleshoot-server-2.2.61-1.fc13.x86_64 Jan 28 06:19:14 tlondon yum: Installed: report-gtk-0.6-1.fc13.x86_64 Jan 28 06:19:15 tlondon yum: Installed: report-plugin-bugzilla-0.6-1.fc13.x86_64 Jan 28 06:19:15 tlondon yum: Installed: report-config-bugzilla-redhat-com-0.6-1.fc13.x86_64 Jan 28 06:19:19 tlondon yum: Updated: libstdc++-devel-4.4.3-4.fc13.x86_64 Jan 28 06:19:20 tlondon yum: Updated: 1:dbus-devel-1.2.16-11.fc13.x86_64 Jan 28 06:19:21 tlondon yum: Updated: dbus-glib-devel-0.84-1.fc13.x86_64 Jan 28 06:19:23 tlondon yum: Updated: gcc-c++-4.4.3-4.fc13.x86_64 Jan 28 06:19:23 tlondon dbus: Reloaded configuration Jan 28 06:19:23 tlondon dbus: Reloaded configuration Jan 28 06:19:29 tlondon yum: Updated: setroubleshoot-2.2.61-1.fc13.x86_64 Jan 28 06:19:30 tlondon yum: Updated: policycoreutils-gui-2.0.78-14.fc13.x86_64 Jan 28 06:19:33 tlondon setroubleshoot: SELinux is preventing /usr/sbin/semodule access to a leaked /tmp/tmpUCL810 file descriptor. For complete SELinux messages. run sealert -l b5ffdb78-fe0a-467b-b61a-56f6c3a44b7c Jan 28 06:19:49 tlondon setroubleshoot: SELinux is preventing /sbin/load_policy access to a leaked /tmp/tmpUCL810 file descriptor. For complete SELinux messages. run sealert -l 39d058c5-d448-4c8b-921c-af088bf69aa1 Jan 28 06:19:53 tlondon dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2)#012: exe="?" sauid=81 hostname=? addr=? terminal=? Jan 28 06:19:53 tlondon dbus: avc: received policyload notice (seqno=2) Jan 28 06:19:53 tlondon dbus: Reloaded configuration Jan 28 06:19:53 tlondon setroubleshoot: SELinux is preventing /sbin/setfiles access to a leaked /tmp/tmpUCL810 file descriptor. For complete SELinux messages. run sealert -l 63d7d0ee-fc5d-413e-84de-26cc2e0863f0 Jan 28 06:20:02 tlondon yum: Updated: selinux-policy-targeted-3.7.8-4.fc13.noarch Jan 28 06:20:03 tlondon yum: Updated: libtasn1-devel-2.4-2.fc13.x86_64 Jan 28 06:20:17 tlondon yum: Updated: 2:qemu-debuginfo-0.12.2-1.fc13.x86_64 Jan 28 06:20:24 tlondon yum: Updated: gtk2-debuginfo-2.19.4-2.fc13.x86_64 Jan 28 06:21:00 tlondon yum: Updated: webkitgtk-debuginfo-1.1.19-1.fc13.x86_64 Jan 28 06:21:02 tlondon yum: Updated: empathy-debuginfo-2.29.6-1.fc13.x86_64 Jan 28 06:21:04 tlondon yum: Updated: e2fsprogs-debuginfo-1.41.9-9.fc13.x86_64 Jan 28 06:21:05 tlondon yum: Updated: fuse-debuginfo-2.8.1-4.fc13.x86_64 Jan 28 06:21:08 tlondon yum: Updated: ncurses-debuginfo-5.7-6.20100123.fc13.x86_64 Jan 28 06:21:09 tlondon yum: Updated: libsoup-debuginfo-2.29.6-1.fc13.x86_64 Jan 28 06:21:14 tlondon yum: Updated: nss-debuginfo-3.12.5-9.fc13.x86_64 Jan 28 06:21:18 tlondon yum: Updated: evolution-data-server-debuginfo-2.29.6-1.fc13.x86_64 Jan 28 06:21:21 tlondon yum: Updated: glib2-debuginfo-2.23.2-3.fc13.x86_64 Jan 28 06:21:23 tlondon yum: Updated: file-roller-debuginfo-2.29.5-1.fc13.x86_64 Jan 28 06:21:27 tlondon yum: Updated: coreutils-debuginfo-8.4-2.fc13.x86_64 Jan 28 06:21:28 tlondon yum: Updated: perf-2.6.33-0.24.rc5.git1.fc13.noarch Jan 28 06:22:01 tlondon yum: Installed: kernel-devel-2.6.33-0.24.rc5.git1.fc13.x86_64 Jan 28 06:22:04 tlondon yum: Updated: gvfs-debuginfo-1.5.2-3.fc13.x86_64 Jan 28 06:22:05 tlondon yum: Updated: pciutils-debuginfo-3.1.6-1.fc13.x86_64 Jan 28 06:22:06 tlondon yum: Updated: totem-pl-parser-debuginfo-2.29.1-1.fc13.x86_64 Jan 28 06:22:09 tlondon yum: Updated: brasero-debuginfo-2.29.4-2.fc13.x86_64 Jan 28 06:22:09 tlondon yum: Updated: libgnome-keyring-debuginfo-2.29.4-2.fc13.x86_64 Jan 28 06:22:12 tlondon yum: Updated: kernel-headers-2.6.33-0.24.rc5.git1.fc13.x86_64 Jan 28 06:22:15 tlondon yum: Updated: gnome-keyring-debuginfo-2.29.5-2.fc13.x86_64 Jan 28 06:22:18 tlondon yum: Updated: totem-debuginfo-2.29.4-1.fc13.x86_64 Jan 28 06:22:20 tlondon yum: Updated: avahi-debuginfo-0.6.25-6.fc13.x86_64 Jan 28 06:22:23 tlondon yum: Updated: python-debuginfo-2.6.4-12.fc13.x86_64 Jan 28 06:22:25 tlondon yum: Updated: pygobject2-debuginfo-2.21.1-3.fc13.x86_64 Jan 28 06:22:26 tlondon yum: Updated: epiphany-debuginfo-2.29.6-1.fc13.x86_64 Jan 28 06:22:27 tlondon yum: Updated: yelp-debuginfo-2.29.3-1.fc13.x86_64 Jan 28 06:23:15 tlondon yum: Installed: kernel-2.6.33-0.24.rc5.git1.fc13.x86_64 [root@tlondon ~]# I attach here a file containing all the sealerts.
(In reply to comment #18) > Hmm..tried updating to latest policy there to look at it, and got this: > Installing : selinux-policy-3.7.8-2.fc13.noarch 1/4 > Installing : selinux-policy-targeted-3.7.8-2.fc13.noarch 2/4 > semodule: link.c:840: alias_copy_callback: Assertion `base_type->primary == > target_type->s.value' failed. > /var/tmp/rpm-tmp.9Pc6WC: line 21: 3789 Aborted (core dumped) > semodule -b base.pp.bz2 -i $packages -s targeted Worked around this by doing: mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy* That succeeded. Then I diff'd the two directories. Looks like gitd.pp was renamed to git.pp. So upgrade needs to account for that by removing the old at the same time as installing the new.
# compute_av unconfined_u:unconfined_r:load_policy_t:s0 system_u:object_r:rpm_tmp_t:s0 file allowed= null auditdeny { ioctl create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint execmod open 0xffe00000 } Note that append permission is in the auditdeny vector. Are you sure you've dontaudit'd append permission too? Or only read write? audit2why likely just checks for any intersecting permisisons e.g. av & ~avd.auditdeny rather than an exact match e.g. (av & ~avd.auditdeny) == av.
Looks like I can recreate this by cycling between downgrading/updating the last two nfs-utils packages: Jan 28 06:58:53 tlondon yum: Installed: 1:nfs-utils-1.2.1-15.fc13.x86_64 Jan 28 06:58:54 tlondon setroubleshoot: Invalid AVC scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 access=['read', 'append'] tclass=file tpath=/tmp/tmpD0ADYK , it is dontaudited in current policy. 'semodule -B' will turn on dontaudit rules. Jan 28 06:58:54 tlondon rpc.statd[1244]: Caught signal 15, un-registering and exiting Jan 28 06:58:54 tlondon rpc.statd[2693]: Version 1.2.1 starting Jan 28 06:58:54 tlondon sm-notify[2694]: Version 1.2.1 starting Jan 28 06:58:54 tlondon setroubleshoot: Invalid AVC scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 access=['read', 'append'] tclass=file tpath=/tmp/tmpD0ADYK , it is dontaudited in current policy. 'semodule -B' will turn on dontaudit rules. and Jan 28 07:02:42 tlondon yum: Updated: 1:nfs-utils-1.2.1-16.fc13.x86_64 Jan 28 07:02:43 tlondon setroubleshoot: Invalid AVC scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 access=['read', 'append'] tclass=file tpath=/tmp/tmpu2P6qE , it is dontaudited in current policy. 'semodule -B' will turn on dontaudit rules. Jan 28 07:02:43 tlondon rpc.statd[2693]: Caught signal 15, un-registering and exiting Jan 28 07:02:43 tlondon rpc.statd[2820]: Version 1.2.1 starting Jan 28 07:02:43 tlondon sm-notify[2821]: Version 1.2.1 starting Jan 28 07:02:43 tlondon setroubleshoot: Invalid AVC scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 access=['read', 'append'] tclass=file tpath=/tmp/tmpu2P6qE , it is dontaudited in current policy. 'semodule -B' will turn on dontaudit rules.
optional_policy(` rpm_use_fds(domain) rpm_read_pipes(domain) rpm_dontaudit_leaks(domain) rpm_read_script_tmp_files(domain) ') interface(`rpm_dontaudit_leaks',` gen_require(` type rpm_t, rpm_var_cache_t; type rpm_script_t, rpm_var_run_t, rpm_tmp_t; type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; ') dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 rpm_t:tcp_socket { read write }; dontaudit $1 rpm_t:unix_dgram_socket { read write }; dontaudit $1 rpm_t:shm rw_shm_perms; dontaudit $1 rpm_script_t:fd use; dontaudit $1 rpm_script_t:fifo_file { read write }; dontaudit $1 rpm_var_run_t:file write; dontaudit $1 rpm_tmp_t:file { read write }; dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; dontaudit $1 rpm_tmpfs_t:file { read write }; dontaudit $1 rpm_script_tmp_t:file { read write }; dontaudit $1 rpm_var_lib_t:file { read write }; dontaudit $1 rpm_var_cache_t:file { read write }; ') So no append.
Changing to interface(`rpm_dontaudit_leaks',` gen_require(` type rpm_t, rpm_var_cache_t; type rpm_script_t, rpm_var_run_t, rpm_tmp_t; type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; ') dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 rpm_t:tcp_socket { read write }; dontaudit $1 rpm_t:unix_dgram_socket { read write }; dontaudit $1 rpm_t:shm rw_shm_perms; dontaudit $1 rpm_script_t:fd use; dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 rpm_var_run_t:file write; dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; ')
So, to avoid confusion going forward, I'd suggest: 1) Changing audit2why to check for an exact match so that it only reports dontaudit if all the permissions were in fact dontaudit'd, and 2) Possibly changing the kernel and userspace avc_audit() logic to mask out the dontaudit'd permissions when one or more of the permissions was not dontaudit'd rather than reporting the entire denied vector. Those are likely topics for selinux list.
Cool.... selinux-policy-3.7.8-5.fc13.noarch fixes. Here is log from a "downgrade/update" cycle that used to produce the non-AVC AVC. Jan 28 08:15:20 tlondon yum: Installed: 1:nfs-utils-1.2.1-15.fc13.x86_64 Jan 28 08:15:21 tlondon rpc.statd[2820]: Caught signal 15, un-registering and exiting Jan 28 08:15:22 tlondon rpc.statd[19160]: Version 1.2.1 starting Jan 28 08:15:22 tlondon sm-notify[19161]: Version 1.2.1 starting Jan 28 08:15:47 tlondon yum: Updated: 1:nfs-utils-1.2.1-16.fc13.x86_64 Jan 28 08:15:48 tlondon rpc.statd[19160]: Caught signal 15, un-registering and exiting Jan 28 08:15:49 tlondon rpc.statd[19247]: Version 1.2.1 starting Jan 28 08:15:49 tlondon sm-notify[19248]: Version 1.2.1 starting Thanks!!!
Ok I sent email upstream about the bug. I think this needs a fix in the kernel to only report append not append and read.
Fixed in security-testing#next http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commit;h=b6cac5a30b325e14cda425670bb3568d3cad0aa8