Összegzés: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. Részletes jellemzés: [consoletype has a permissive type (consoletype_t). This access was not denied.] SELinux denied access requested by the consoletype command. It looks like this is either a leaked descriptor or consoletype output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the packet_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Hozzáférés engedélyezés: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) További tájékoztatás: Forrás környezet system_u:system_r:consoletype_t:s0 Cél környezet system_u:system_r:pppd_t:s0 Cél tárgyak packet_socket [ packet_socket ] Forrás consoletype Forrás ösvény /sbin/consoletype Kapu <Ismeretlen> Gazda (removed) Forrás RPM csomagok initscripts-9.02-1 Cél RPM csomagok Szabályzat RPM selinux-policy-3.6.32-41.fc12 SELinux bekapcsolva True Szabályzat típus targeted Kényszerítő mód Enforcing Dugasz név leaks Gazda név (removed) Platform Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 Riasztás szám 1 Először 2010. febr. 14., vasárnap, 13.29.44 CET Utoljára 2010. febr. 14., vasárnap, 13.29.44 CET Helyi azonosító 18da4af1-a0ae-4021-9b1e-9624a025997d Sor számok Nyers vizsgálat üzenetek node=(removed) type=AVC msg=audit(1266150584.174:37015): avc: denied { read write } for pid=1904 comm="consoletype" path="socket:[25808]" dev=sockfs ino=25808 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket node=(removed) type=SYSCALL msg=audit(1266150584.174:37015): arch=40000003 syscall=11 success=yes exit=0 a0=9f453e8 a1=9f45448 a2=9f3df20 a3=9f45448 items=0 ppid=1903 pid=1904 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null) Hash String generated from leaks,consoletype,consoletype_t,pppd_t,packet_socket,read,write audit2allow suggests: #============= consoletype_t ============== allow consoletype_t pppd_t:packet_socket { read write };
yum update
i've updated yum and still after i restart the bug comes up.
Which version of policy do you have installed? rpm -q selinux-policy-targeted
Summary: SELinux is preventing /sbin/consoletype access to a leaked packet_socket file descriptor. Detailed Description: [consoletype has a permissive type (consoletype_t). This access was not denied.] SELinux denied access requested by the consoletype command. It looks like this is either a leaked descriptor or consoletype output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the packet_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:consoletype_t:s0 Target Context system_u:system_r:pppd_t:s0 Target Objects packet_socket [ packet_socket ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host (removed) Source RPM Packages initscripts-9.20.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux lhost.ldomain 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 Alert Count 23 First Seen Thu 04 Nov 2010 06:55:50 PM MSK Last Seen Fri 05 Nov 2010 09:52:38 PM MSK Local ID ad9ea46d-f836-4661-aa8a-bdcb33ada46e Line Numbers Raw Audit Messages node=lhost.ldomain type=AVC msg=audit(1288983158.621:30236): avc: denied { read write } for pid=2835 comm="consoletype" path="socket:[23535]" dev=sockfs ino=23535 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:pppd_t:s0 tclass=packet_socket node=lhost.ldomain type=SYSCALL msg=audit(1288983158.621:30236): arch=c000003e syscall=59 success=yes exit=0 a0=19da2b0 a1=19e84e0 a2=19e8240 a3=0 items=0 ppid=2834 pid=2835 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null) rpm -q selinux-policy-targete >>> selinux-policy-targeted-3.9.7-7.fc14.noarch <<< uname -r 2.6.35.6-48.fc14.x86_64
pppd should not be leaking sockets.
Dan, did you really mean pptp, or should it have been ppp?
Don't see any references to pptp; reassigning to ppp.
At my box I have internet connection only PPPoE. I define connection only in tab "DSL" at Network Manager.
Yes it should be ppp
ppp-2.4.5-12.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/ppp-2.4.5-12.fc14
ppp-2.4.5-12.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ppp'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/ppp-2.4.5-12.fc14
I install 'ppp-2.4.5-12.fc14' by su -c 'yum --enablerepo=updates-testing update ppp' . Setroubleshoot don't show alert. Internet run. Check log, don't find any error messages, except this Here previous messages... >>> Nov 19 20:17:09 lhost NetworkManager[1151]: <error> [1290187029.121281] [nm-manager.c:1332] user_proxy_init(): could not init user settings proxy: (3) Could not get owner of name 'org.freedesktop.NetworkManagerUserSettings': no such name Nov 19 20:17:10 lhost rtkit-daemon[1900]: Successfully made thread 2080 of process 2080 (/usr/bin/pulseaudio) owned by '500' high priority at nice level -11. Nov 19 20:17:10 lhost rtkit-daemon[1900]: Successfully made thread 2085 of process 2080 (/usr/bin/pulseaudio) owned by '500' RT at priority 5. Nov 19 20:17:10 lhost rtkit-daemon[1900]: Successfully made thread 2086 of process 2080 (/usr/bin/pulseaudio) owned by '500' RT at priority 5. Nov 19 20:17:11 lhost rtkit-daemon[1900]: Successfully made thread 2186 of process 2186 (/usr/bin/pulseaudio) owned by '500' high priority at nice level -11. Nov 19 20:17:11 lhost pulseaudio[2186]: pid.c: Daemon already running. <<< Is this message relevant, I don't know. Check yourself, please. >>> Nov 19 20:17:14 lhost dbus: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.52" (uid=500 pid=2089 comm="nautilus) interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply=0 destination=":1.18" (uid=0 pid=1843 comm="/usr/sbin/console-kit-daemon)) <<< Here I start my internet connection. >>> Nov 19 20:18:29 lhost NetworkManager[1151]: <info> Activation (eth0) starting connection 'dsl' Nov 19 20:18:29 lhost NetworkManager[1151]: <info> (eth0): device state change: 3 -> 4 (reason 0) Nov 19 20:18:29 lhost NetworkManager[1151]: <info> Activation (eth0) Stage 1 of 5 (Device Prepare) scheduled... Nov 19 20:18:29 lhost NetworkManager[1151]: <info> Activation (eth0) Stage 1 of 5 (Device Prepare) started... Nov 19 20:18:29 lhost NetworkManager[1151]: <info> Activation (eth0) Stage 2 of 5 (Device Configure) scheduled... Nov 19 20:18:29 lhost NetworkManager[1151]: <info> Activation (eth0) Stage 1 of 5 (Device Prepare) complete. <<<
Hi, thanks for your test & report. Unfortunately I'm able only to say that the message 'Rejected send message....' is out of pppd topic. I've discussed it little and I hope NetworkManager maintainer could know more... So I'm going to add him into CC. Jiri
ppp-2.4.5-12.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.