576943 – SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 access to a leaked /tmp/log file descriptor.

Bug 576943 - SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 access to a leaked /tmp/log file descriptor.

Summary: SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 access to a...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:d1655c5de07...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-25 17:15 UTC by Alex Lancaster
Modified:	2010-04-09 01:24 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.6.32-108.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-04-09 01:24:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alex Lancaster 2010-03-25 17:15:50 UTC

Summary:

SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 access to a
leaked /tmp/log file descriptor.

Detailed Description:

[polkit-agent-he has a permissive type (policykit_auth_t). This access was not
denied.]

SELinux denied access requested by the polkit-agent-he command. It looks like
this is either a leaked descriptor or polkit-agent-he output was redirected to a
file it is not allowed to access. Leaks usually can be ignored since SELinux is
just closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /tmp/log. You should generate a bugzilla on selinux-policy, and it
will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /tmp/log [ file ]
Source                        polkit-agent-he
Source Path                   /usr/libexec/polkit-1/polkit-agent-helper-1
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-0.95-0.git20090913.3.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-103.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.9-70.fc12.x86_64
                              #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Alert Count                   11
First Seen                    Fri 18 Dec 2009 04:19:40 PM EST
Last Seen                     Thu 25 Mar 2010 01:14:32 PM EDT
Local ID                      6a4fcb30-0947-440f-8e5a-5f2ecca58164
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1269537272.677:41939): avc:  denied  { write } for  pid=26327 comm="polkit-agent-he" path="/tmp/log" dev=dm-0 ino=6236 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1269537272.677:41939): arch=c000003e syscall=59 success=yes exit=0 a0=30ab00d7b8 a1=7fff5e0bb5f0 a2=7fff5e0bb8e8 a3=f items=0 ppid=2391 pid=26327 auid=501 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,polkit-agent-he,policykit_auth_t,user_tmp_t,file,write
audit2allow suggests:

#============= policykit_auth_t ==============
allow policykit_auth_t user_tmp_t:file write;

Comment 1 Alex Lancaster 2010-03-25 17:16:20 UTC

Was using PackageKit to install a downloaded RPM via Firefox.

Comment 2 Daniel Walsh 2010-03-25 17:42:11 UTC

Miroslav add
userdom_dontaudit_write_user_tmp_files(policykit_auth_t)

Comment 3 Miroslav Grepl 2010-03-26 06:58:23 UTC

Fixed in selinux-policy-3.6.32-107.fc12

Comment 4 Fedora Update System 2010-03-30 19:47:40 UTC

selinux-policy-3.6.32-108.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12

Comment 5 Fedora Update System 2010-04-01 01:53:38 UTC

selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12

Comment 6 Alex Lancaster 2010-04-06 20:46:05 UTC

(In reply to comment #5)

> http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12    

This update fixes the issue, I have given it a +1 karma point.

Comment 7 Fedora Update System 2010-04-09 01:23:16 UTC

selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.