Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 593737 - SELinux is preventing /sbin/consoletype access to a leaked /var/log/wicd/wicd.log file descriptor.
SELinux is preventing /sbin/consoletype access to a leaked /var/log/wicd/wicd...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:bb1fe310806...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-19 11:29 EDT by Muel Kiel
Modified: 2010-12-31 07:21 EST (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-21.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-28 14:02:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
reinstall selinux-policy-targeted log (2.00 KB, text/plain)
2010-06-17 03:51 EDT, FSW
no flags Details
selinux_wicd-backends (2.34 KB, text/plain)
2010-06-17 04:35 EDT, FSW
no flags Details
selinux python wicd alert (2.38 KB, text/plain)
2010-06-17 04:38 EDT, FSW
no flags Details
selinux wicd.log alert (2.77 KB, text/plain)
2010-06-17 04:42 EDT, FSW
no flags Details

  None (edit)
Description Muel Kiel 2010-05-19 11:29:07 EDT
Summary:

SELinux is preventing /sbin/consoletype access to a leaked
/var/log/wicd/wicd.log file descriptor.

Detailed Description:

[consoletype has a permissive type (consoletype_t). This access was not denied.]

SELinux denied access requested by the consoletype command. It looks like this
is either a leaked descriptor or consoletype output was redirected to a file it
is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /var/log/wicd/wicd.log. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:consoletype_t:s0
Target Context                unconfined_u:object_r:NetworkManager_log_t:s0
Target Objects                /var/log/wicd/wicd.log [ file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           initscripts-9.12-1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-13.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.3-85.fc13.x86_64 #1 SMP
                              Thu May 6 18:09:49 UTC 2010 x86_64 x86_64
Alert Count                   36
First Seen                    Thu 06 May 2010 01:09:05 PM PDT
Last Seen                     Wed 19 May 2010 08:19:59 AM PDT
Local ID                      14820867-e72e-4395-9b90-550df0352fe8
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274282399.49:74): avc:  denied  { append } for  pid=4579 comm="consoletype" path="/var/log/wicd/wicd.log" dev=sda3 ino=4587696 scontext=system_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:NetworkManager_log_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274282399.49:74): arch=c000003e syscall=59 success=yes exit=0 a0=1af5d10 a1=1af57e0 a2=1af24d0 a3=10 items=0 ppid=4578 pid=4579 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null)



Hash String generated from  leaks,consoletype,consoletype_t,NetworkManager_log_t,file,append
audit2allow suggests:

#============= consoletype_t ==============
allow consoletype_t NetworkManager_log_t:file append;
Comment 1 Daniel Walsh 2010-05-19 14:06:37 EDT
Fixed in selinux-policy-3.7.19-18.fc13.noarch
Comment 2 Fedora Update System 2010-05-25 10:36:47 EDT
selinux-policy-3.7.19-21.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13
Comment 3 Fedora Update System 2010-05-26 17:45:54 EDT
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13
Comment 4 Fedora Update System 2010-05-28 14:01:26 EDT
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 FSW 2010-06-09 01:02:01 EDT
Still here with selinux-policy-3.7.19-23.fc13, so the bug have to be re-opened, because it is still not fixed.
Comment 6 Daniel Walsh 2010-06-09 16:23:15 EDT
FSW

Please attach the latest avc messages you are seeing.
Comment 7 FSW 2010-06-09 17:09:51 EDT
So, here it is, in French, but that means the same as what is to see in original post. Good luck, and if you need something else, just tell me...

Résumé:

SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier
compromis /var/log/wicd/wicd.log.

Description détaillée:

[consoletype a un type permissif (consoletype_t). Cet accès n'a pas été
refusé.]

SELinux a refusé l'accès requis par la commande consoletype. Il se pourrait
que ce soit un descripteur «fuité» ou bien que la sortie de consoletype soit
redirigée vers un fichier interdit d'accès. Les fuites peuvent généralement
être ignorées puisque SELinux referme ces fuites et rapporte l'erreur.
L'application n'utilise pas le descripteur, il fonctionnera donc correctement.
Si c'est une redirection, vous n'aurez pas de sortie dans
/var/log/wicd/wicd.log. Vous devriez signaler un bug à bugzilla sur
selinux-policy et il sera redirigé vers le paquet approprié. Vous pouvez en
toute sécurité ignorer

Autoriser l'accès:

Vous pouvez générer un module de politique de sécurité local afin
d'autoriser cet accès - voir FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Informations complémentaires:

Contexte source               system_u:system_r:consoletype_t:s0
Contexte cible                system_u:object_r:NetworkManager_log_t:s0
Objets du contexte            /var/log/wicd/wicd.log [ file ]
source                        consoletype
Chemin de la source           /sbin/consoletype
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         initscripts-9.12-1.fc13
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.7.19-23.fc13
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 leaks
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.33.5-112.fc13.x86_64
                              #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64
Compteur d'alertes            3
Première alerte              mer. 09 juin 2010 06:52:22 CEST
Dernière alerte              mer. 09 juin 2010 22:59:42 CEST
ID local                      38916182-39bf-4cf4-bd3c-c053b4cc566f
Numéros des lignes           

Messages d'audit bruts        

node=hubble.alternation type=AVC msg=audit(1276117182.260:27): avc:  denied  { append } for  pid=1807 comm="consoletype" path="/var/log/wicd/wicd.log" dev=sda7 ino=393227 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:NetworkManager_log_t:s0 tclass=file

node=hubble.alternation type=SYSCALL msg=audit(1276117182.260:27): arch=c000003e syscall=59 success=yes exit=0 a0=a55c90 a1=a55760 a2=a52460 a3=10 items=0 ppid=1806 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null)
Comment 8 Daniel Walsh 2010-06-10 09:06:06 EDT
Could you make sure the selinux-policy update did not fail on your machine.

yum -y reinstall selinux-policy-targeted
Comment 9 FSW 2010-06-10 12:14:44 EDT
Sorry, I've just made it twice right now (one with "sudo", as I'm using it & with "su -", just to be sure) and rebooted each time, but it's still here!!!

Should I try a "yum -y erase selinux-policy-targeted" before a "yum -y install selinux-policy-targeted", just to see or will my system breaks in pieces ?  =;) 

I mean, I will normally try it with almost every single software, but I'm not so at ease with SELinux and I rather be cautious with that one, so long I don't understand anything of it's voodoo (but I hope I will one day)...
Comment 10 Daniel Walsh 2010-06-16 11:29:10 EDT
Did you see an error when reinstalling selinux-policy-targeted?
Comment 11 FSW 2010-06-17 03:51:26 EDT
Created attachment 424710 [details]
reinstall selinux-policy-targeted log

reinstall selinux-policy-targeted log (O6/17/2010)
Comment 12 FSW 2010-06-17 04:22:11 EDT
Hi,

there's a new bug opened about this exact thing here Red Hat Bugzilla – Bug 596982: https://bugzilla.redhat.com/show_bug.cgi?id=596982

So, my try from today, see the log in attachment (id=424710), after updating, brought always the same error message, 
Résumé:

SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier
compromis /var/log/wicd/wicd.log.

But it noticed also that in /var/log/messages:

Jun 17 09:14:25 hubble setroubleshoot: SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier compromis /var/log/wicd/wicd.log. For complete SELinux messages. run sealert -l 31d71d3c-5500-44ce-ae3d-b09b61b92e47

and also that I've 2 other SELinux alerts concerning refused "write" access, first:

Résumé:

SELinux empêche l'accès en "write" à /usr/bin/python on
/usr/share/wicd/backends

second:

Résumé:

SELinux empêche l'accès en "write" à /usr/bin/python on
/usr/lib/python2.6/site-packages/wicd

So, I didn't noticed anything about those errors on https://admin.fedoraproject.org/pkgdb/acls/bugs/selinux-policy, so I might have to open 2 new bugs, or? In between, I will add the 2 messages as attachments.

Anyway, they seems to be related, as all this began the moment I wanted to replace NetworkManager by Wicd, which doesn't scan my network each 2 minutes (Red Hat Bugzilla – Bug 490493) so let's keep the good work, we will get it.

Ask if you need something more, but I can only reply tomorrow (busy day today =;)
Comment 13 FSW 2010-06-17 04:35:07 EDT
Created attachment 424721 [details]
selinux_wicd-backends

"write" access refused by SELinux

Résumé:

SELinux empêche l'accès en "write" à /usr/bin/python on
/usr/share/wicd/backends
Comment 14 FSW 2010-06-17 04:38:32 EDT
Created attachment 424722 [details]
selinux python wicd alert

"write" access refused by SELinux

Résumé:

SELinux empêche l'accès en "write" à /usr/bin/python on
/usr/lib/python2.6/site-packages/wicd
Comment 15 FSW 2010-06-17 04:42:55 EDT
Created attachment 424725 [details]
selinux wicd.log alert

Alerted, but not refused by SELinux:

Résumé:

SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier
compromis /var/log/wicd/wicd.log.

Description détaillée:

[consoletype a un type permissif (consoletype_t). Cet accès n'a pas été
refusé.]
Comment 16 Daniel Walsh 2010-06-17 09:17:10 EDT
This looks like your update was not successfull

Could you execute 

# yum reinstall selinux-policy-targeted

And watch for errors.

After this successfully completes could you execute

# sesearch -A -s consoletype_t -t NetworkManager_log_t

Note You need to log in before you can comment on or make changes to this bug.