Bug 588716 - SELinux is preventing /sbin/setfiles access to a leaked udp_socket file descriptor.
SELinux is preventing /sbin/setfiles access to a leaked udp_socket file descr...
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:1ce11e60ecd...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-04 07:20 EDT by Oded Arbel
Modified: 2011-05-25 16:21 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-25 16:21:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Oded Arbel 2010-05-04 07:20:54 EDT
Summary:

SELinux is preventing /sbin/setfiles access to a leaked udp_socket file
descriptor.

Detailed Description:

[restorecon has a permissive type (setfiles_t). This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the udp_socket. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                udp_socket [ udp_socket ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-13.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01
                              UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 04 May 2010 02:14:36 PM IDT
Last Seen                     Tue 04 May 2010 02:14:36 PM IDT
Local ID                      90382397-17a9-4f58-b4aa-c8110a7833ae
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1272971676.271:18930): avc:  denied  { read write } for  pid=3944 comm="restorecon" path="socket:[48438]" dev=sockfs ino=48438 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=udp_socket

node=(removed) type=AVC msg=audit(1272971676.271:18930): avc:  denied  { read write } for  pid=3944 comm="restorecon" path="socket:[48439]" dev=sockfs ino=48439 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=udp_socket

node=(removed) type=SYSCALL msg=audit(1272971676.271:18930): arch=c000003e syscall=59 success=yes exit=0 a0=10793a0 a1=1079300 a2=1075100 a3=8 items=0 ppid=3940 pid=3944 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=12 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,restorecon,setfiles_t,xdm_t,udp_socket,read,write
audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t xdm_t:udp_socket { read write };
Comment 1 Daniel Walsh 2010-05-04 14:00:23 EDT
This looks like cdm is leaking a udp_socket.

Are you using any special pam configuration?

What are you using for your login application?
Comment 2 Oded Arbel 2010-05-04 16:21:55 EDT
I'm using winbind for logging in (sometimes - I also have local users).

This specific problem occurred while trying to login to GNOME using KDM.
Comment 3 Daniel Walsh 2010-05-04 16:38:00 EDT
kdm is leaking a udp_socket.  Probably related to winbind.
Comment 4 Fedora Admin XMLRPC Client 2010-10-08 10:43:17 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Simo Sorce 2011-04-04 12:43:42 EDT
nss_winbind/pam_winbindd never use udp sockets afaik, so it is highly unlikely it is a winbindd bug, reassigning back to selinux policy
Comment 6 Daniel Walsh 2011-04-04 15:17:35 EDT
Oded is this happening repeatedly?  Or just once?
Comment 7 Miroslav Grepl 2011-05-25 16:21:33 EDT
Please reopen if the problem still exists.

Note You need to log in before you can comment on or make changes to this bug.