Summary: SELinux is preventing /sbin/consoletype access to a leaked /var/log/wicd/wicd.log file descriptor. Detailed Description: [consoletype has a permissive type (consoletype_t). This access was not denied.] SELinux denied access requested by the consoletype command. It looks like this is either a leaked descriptor or consoletype output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /var/log/wicd/wicd.log. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:consoletype_t:s0 Target Context unconfined_u:object_r:NetworkManager_log_t:s0 Target Objects /var/log/wicd/wicd.log [ file ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host (removed) Source RPM Packages initscripts-9.12-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-13.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.33.3-85.fc13.x86_64 #1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64 Alert Count 36 First Seen Thu 06 May 2010 01:09:05 PM PDT Last Seen Wed 19 May 2010 08:19:59 AM PDT Local ID 14820867-e72e-4395-9b90-550df0352fe8 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274282399.49:74): avc: denied { append } for pid=4579 comm="consoletype" path="/var/log/wicd/wicd.log" dev=sda3 ino=4587696 scontext=system_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:NetworkManager_log_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1274282399.49:74): arch=c000003e syscall=59 success=yes exit=0 a0=1af5d10 a1=1af57e0 a2=1af24d0 a3=10 items=0 ppid=4578 pid=4579 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null) Hash String generated from leaks,consoletype,consoletype_t,NetworkManager_log_t,file,append audit2allow suggests: #============= consoletype_t ============== allow consoletype_t NetworkManager_log_t:file append;
Fixed in selinux-policy-3.7.19-18.fc13.noarch
selinux-policy-3.7.19-21.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Still here with selinux-policy-3.7.19-23.fc13, so the bug have to be re-opened, because it is still not fixed.
FSW Please attach the latest avc messages you are seeing.
So, here it is, in French, but that means the same as what is to see in original post. Good luck, and if you need something else, just tell me... Résumé: SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier compromis /var/log/wicd/wicd.log. Description détaillée: [consoletype a un type permissif (consoletype_t). Cet accès n'a pas été refusé.] SELinux a refusé l'accès requis par la commande consoletype. Il se pourrait que ce soit un descripteur «fuité» ou bien que la sortie de consoletype soit redirigée vers un fichier interdit d'accès. Les fuites peuvent généralement être ignorées puisque SELinux referme ces fuites et rapporte l'erreur. L'application n'utilise pas le descripteur, il fonctionnera donc correctement. Si c'est une redirection, vous n'aurez pas de sortie dans /var/log/wicd/wicd.log. Vous devriez signaler un bug à bugzilla sur selinux-policy et il sera redirigé vers le paquet approprié. Vous pouvez en toute sécurité ignorer Autoriser l'accès: Vous pouvez générer un module de politique de sécurité local afin d'autoriser cet accès - voir FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Informations complémentaires: Contexte source system_u:system_r:consoletype_t:s0 Contexte cible system_u:object_r:NetworkManager_log_t:s0 Objets du contexte /var/log/wicd/wicd.log [ file ] source consoletype Chemin de la source /sbin/consoletype Port <Inconnu> Hôte (removed) Paquetages RPM source initscripts-9.12-1.fc13 Paquetages RPM cible Politique RPM selinux-policy-3.7.19-23.fc13 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin leaks Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Compteur d'alertes 3 Première alerte mer. 09 juin 2010 06:52:22 CEST Dernière alerte mer. 09 juin 2010 22:59:42 CEST ID local 38916182-39bf-4cf4-bd3c-c053b4cc566f Numéros des lignes Messages d'audit bruts node=hubble.alternation type=AVC msg=audit(1276117182.260:27): avc: denied { append } for pid=1807 comm="consoletype" path="/var/log/wicd/wicd.log" dev=sda7 ino=393227 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:NetworkManager_log_t:s0 tclass=file node=hubble.alternation type=SYSCALL msg=audit(1276117182.260:27): arch=c000003e syscall=59 success=yes exit=0 a0=a55c90 a1=a55760 a2=a52460 a3=10 items=0 ppid=1806 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:consoletype_t:s0 key=(null)
Could you make sure the selinux-policy update did not fail on your machine. yum -y reinstall selinux-policy-targeted
Sorry, I've just made it twice right now (one with "sudo", as I'm using it & with "su -", just to be sure) and rebooted each time, but it's still here!!! Should I try a "yum -y erase selinux-policy-targeted" before a "yum -y install selinux-policy-targeted", just to see or will my system breaks in pieces ? =;) I mean, I will normally try it with almost every single software, but I'm not so at ease with SELinux and I rather be cautious with that one, so long I don't understand anything of it's voodoo (but I hope I will one day)...
Did you see an error when reinstalling selinux-policy-targeted?
Created attachment 424710 [details] reinstall selinux-policy-targeted log reinstall selinux-policy-targeted log (O6/17/2010)
Hi, there's a new bug opened about this exact thing here Red Hat Bugzilla – Bug 596982: https://bugzilla.redhat.com/show_bug.cgi?id=596982 So, my try from today, see the log in attachment (id=424710), after updating, brought always the same error message, Résumé: SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier compromis /var/log/wicd/wicd.log. But it noticed also that in /var/log/messages: Jun 17 09:14:25 hubble setroubleshoot: SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier compromis /var/log/wicd/wicd.log. For complete SELinux messages. run sealert -l 31d71d3c-5500-44ce-ae3d-b09b61b92e47 and also that I've 2 other SELinux alerts concerning refused "write" access, first: Résumé: SELinux empêche l'accès en "write" à /usr/bin/python on /usr/share/wicd/backends second: Résumé: SELinux empêche l'accès en "write" à /usr/bin/python on /usr/lib/python2.6/site-packages/wicd So, I didn't noticed anything about those errors on https://admin.fedoraproject.org/pkgdb/acls/bugs/selinux-policy, so I might have to open 2 new bugs, or? In between, I will add the 2 messages as attachments. Anyway, they seems to be related, as all this began the moment I wanted to replace NetworkManager by Wicd, which doesn't scan my network each 2 minutes (Red Hat Bugzilla – Bug 490493) so let's keep the good work, we will get it. Ask if you need something more, but I can only reply tomorrow (busy day today =;)
Created attachment 424721 [details] selinux_wicd-backends "write" access refused by SELinux Résumé: SELinux empêche l'accès en "write" à /usr/bin/python on /usr/share/wicd/backends
Created attachment 424722 [details] selinux python wicd alert "write" access refused by SELinux Résumé: SELinux empêche l'accès en "write" à /usr/bin/python on /usr/lib/python2.6/site-packages/wicd
Created attachment 424725 [details] selinux wicd.log alert Alerted, but not refused by SELinux: Résumé: SELinux empêche /sbin/consoletype d'accéder au descripteur de fichier compromis /var/log/wicd/wicd.log. Description détaillée: [consoletype a un type permissif (consoletype_t). Cet accès n'a pas été refusé.]
This looks like your update was not successfull Could you execute # yum reinstall selinux-policy-targeted And watch for errors. After this successfully completes could you execute # sesearch -A -s consoletype_t -t NetworkManager_log_t