Summary: SELinux is preventing /sbin/consoletype access to a leaked fifo_file file descriptor. Detailed Description: [consoletype has a permissive type (consoletype_t). This access was not denied.] SELinux denied access requested by the consoletype command. It looks like this is either a leaked descriptor or consoletype output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the fifo_file. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:consoletype_t:s0 Target Context system_u:system_r:NetworkManager_t:s0 Target Objects fifo_file [ fifo_file ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host (removed) Source RPM Packages initscripts-9.02.1-1 Target RPM Packages Policy RPM selinux-policy-3.6.32-106.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Alert Count 28 First Seen Tue 06 Apr 2010 08:52:47 PM EDT Last Seen Tue 06 Apr 2010 09:38:54 PM EDT Local ID 70845c6f-8cab-4650-a70f-82f05fc29287 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1270604334.964:29): avc: denied { read } for pid=3239 comm="consoletype" path="pipe:[66472]" dev=pipefs ino=66472 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=fifo_file node=(removed) type=AVC msg=audit(1270604334.964:29): avc: denied { write } for pid=3239 comm="consoletype" path="pipe:[66473]" dev=pipefs ino=66473 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=fifo_file node=(removed) type=SYSCALL msg=audit(1270604334.964:29): arch=c000003e syscall=59 success=yes exit=0 a0=13454d0 a1=1347210 a2=134b5c0 a3=7fff2e3a3440 items=0 ppid=3238 pid=3239 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null) Hash String generated from leaks,consoletype,consoletype_t,NetworkManager_t,fifo_file,read audit2allow suggests: #============= consoletype_t ============== allow consoletype_t NetworkManager_t:fifo_file { read write };
Miroslav, Change consoletype_exec(NetworkManager_t) to consoletype_domtrans(NetworkManager_t)
Somehow resolv.conf is labeled ipsec_key_file_t type=AVC msg=audit(1270574403.279:3712): avc: denied { unlink } for pid=1356 comm="NetworkManager" name="resolv.conf" dev=dm-1 ino=131637 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=staff_u:object_r:ipsec_key_file_t:s0 tclass=file Ok, Current policy says that ipsec_mgmg_t creating files in /etc creates them as ipsec_key_file_t files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file) But now ipsec_mgmt_t is creating /etc/resolv.conf with this label. The question is why does ipsec_mgmt_t recreating /etc/resolv.conf? Also what directories does ipsec_mgmt_t create files under /etc?
p1_up_down script overwrites the /etc/resolv.conf but it should not remove/create it unless it was already removed before the script is called. Is it possible that it was removed by something else before?
I am also not sure whether this script is really running as ipsec_mgmt_t. Isn't this context used also for openswan? CCing Avesh. The ipsec_tools p1_up_down script does not write to anything else than /etc/resolv.conf but as I said above perhaps openswan needs this policy?
Maybe we should add a restorecon to that script after resolv.conf is created.
I think this communication is happening in the wrong bugzilla?
Heh, it looks like so.
(In reply to comment #1) > Miroslav, Change consoletype_exec(NetworkManager_t) to > consoletype_domtrans(NetworkManager_t) Fixed in selinux-policy-3.6.32-110.fc12
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.