Résumé: SELinux is preventing /usr/bin/perl access to a leaked tcp_socket file descriptor. Description détaillée: [perl a un type permissif (staff_t). Cet accès n'a pas été refusé.] SELinux denied access requested by the perl command. It looks like this is either a leaked descriptor or perl output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the tcp_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Autoriser l'accès: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Informations complémentaires: Contexte source staff_u:staff_r:staff_t:s0-s0:c0.c1023 Contexte cible staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 Objets du contexte tcp_socket [ tcp_socket ] source perl Chemin de la source /usr/bin/perl Port <Inconnu> Hôte (removed) Paquetages RPM source perl-5.10.0-87.fc12 Paquetages RPM cible Politique RPM selinux-policy-3.6.32-108.fc12 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin leaks Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 Compteur d'alertes 9 Première alerte jeu 15 avr 2010 17:26:27 EDT Dernière alerte jeu 15 avr 2010 17:41:15 EDT ID local 047a8755-2bfd-4457-bf10-6d5f0c404337 Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1271367675.621:77): avc: denied { read write } for pid=3742 comm="perl" path="socket:[748367]" dev=sockfs ino=748367 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1271367675.621:77): avc: denied { read write } for pid=3742 comm="perl" path="socket:[750358]" dev=sockfs ino=750358 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1271367675.621:77): avc: denied { read write } for pid=3742 comm="perl" path="socket:[750675]" dev=sockfs ino=750675 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1271367675.621:77): avc: denied { read write } for pid=3742 comm="perl" path="socket:[750676]" dev=sockfs ino=750676 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1271367675.621:77): avc: denied { read write } for pid=3742 comm="perl" path="socket:[752207]" dev=sockfs ino=752207 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1271367675.621:77): avc: denied { read write } for pid=3742 comm="perl" path="socket:[752208]" dev=sockfs ino=752208 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=AVC msg=audit(1271367675.621:77): avc: denied { read write } for pid=3742 comm="perl" path="socket:[752209]" dev=sockfs ino=752209 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_mono_t:s0-s0:c0.c1023 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1271367675.621:77): arch=c000003e syscall=59 success=yes exit=0 a0=7f06f4001540 a1=7f06f4004020 a2=7f06f400b260 a3=7f07075f9d20 items=0 ppid=3725 pid=3742 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="perl" exe="/usr/bin/perl" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,perl,staff_t,staff_mono_t,tcp_socket,read,write audit2allow suggests: #============= staff_t ============== allow staff_t staff_mono_t:tcp_socket { read write };
Is this from gnome_do? If so it is a leaked file descriptor and should be reassigned there.
I honesty have no idea why mono_t want to access Perl. I did tried Komodo IDE w. Perl, changed the remote dbg settings, and that's about it.
Miroslav, Add ifdef(`hide_broken_symptoms', ` dontaudit $1_t $1_mono_t $1:socket_class_set { read write }; ') to mono_role right after corecmd_bin_domtrans
Fixed in selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.