Bug 595283 - SELinux is preventing /sbin/setfiles access to a leaked /dev/null file descriptor.
Summary: SELinux is preventing /sbin/setfiles access to a leaked /dev/null file descri...
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
(Show other bugs)
Version: 12
Hardware: x86_64 Linux
low
medium
Target Milestone: ---
Assignee: Anaconda Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:5951803f1c4...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-24 09:36 UTC by upgradeservices
Modified: 2013-01-10 05:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-24 21:16:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description upgradeservices 2010-05-24 09:36:59 UTC
Summary:

SELinux is preventing /sbin/setfiles access to a leaked /dev/null file
descriptor.

Detailed Description:

[restorecon has a permissive type (setfiles_t). This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /dev/null. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:device_t:s0
Target Objects                /dev/null [ file ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-114.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30
                              19:46:25 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 24 May 2010 11:24:42 AM EDT
Last Seen                     Mon 24 May 2010 11:25:17 AM EDT
Local ID                      f1fccdf6-007b-4173-8ce7-442635146757
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274714717.932:28544): avc:  denied  { write } for  pid=3447 comm="restorecon" path="/dev/null" dev=sda6 ino=174300 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274714717.932:28544): arch=c000003e syscall=59 success=yes exit=0 a0=ed2830 a1=eccd60 a2=ecd2c0 a3=7fffd2f82060 items=0 ppid=3433 pid=3447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,restorecon,setfiles_t,device_t,file,write
audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t device_t:file write;

Comment 1 upgradeservices 2010-05-24 09:37:27 UTC
was running pungi:
pungi --name=fx64 --ver=F12 --destdir=/somedir/p_dest --cachedir=/somedir/p_cache --nosource --nosplitmedia --force --config=/somedir/ks.cfg -G -C -B

Comment 2 Daniel Walsh 2010-05-24 15:49:17 UTC
THis looks like pungi and SELinux is not playing well together.

Comment 3 Daniel Walsh 2010-05-24 15:49:36 UTC
Does pungi create this device?

Comment 4 Jesse Keating 2010-05-24 20:34:54 UTC
Any device creation is done by buildinstall which is part of anaconda.

Comment 5 Chris Lumens 2010-05-24 21:16:49 UTC
I suggest you not use buildinstall under enforcing.  It's too special.


Note You need to log in before you can comment on or make changes to this bug.