Summary: SELinux is preventing /sbin/ifconfig access to a leaked /var/cfengine/outputs/cf_lap0048_210307_asenjo_nx_2010-06-23--23-20-22_1277328022 file descriptor. Detailed Description: [ifconfig has a permissive type (ifconfig_t). This access was not denied.] SELinux denied access requested by the ifconfig command. It looks like this is either a leaked descriptor or ifconfig output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /var/cfengine/outputs/cf_lap0048_210307_asenjo_nx_2010-06-23--23-20-22_1277328022. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0 Target Context unconfined_u:object_r:var_log_t:s0 Target Objects /var/cfengine/outputs/cf_lap0048_210307_asenjo_nx_ 2010-06-23--23-20-22_1277328022 [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host (removed) Source RPM Packages net-tools-1.60-102.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-23.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.33.3-85.fc13.x86_64 #1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64 Alert Count 8 First Seen Wed 23 Jun 2010 09:00:19 PM CEST Last Seen Wed 23 Jun 2010 11:20:23 PM CEST Local ID e2c34be1-c7f0-4eb3-979d-be51b05ed7f7 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277328023.40:66): avc: denied { write } for pid=6772 comm="ifconfig" path="/var/cfengine/outputs/cf_lap0048_210307_asenjo_nx_2010-06-23--23-20-22_1277328022" dev=dm-0 ino=525630 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1277328023.40:66): arch=c000003e syscall=59 success=yes exit=0 a0=7009a0 a1=24ccba0 a2=7fff236af080 a3=7fff236adc70 items=0 ppid=6714 pid=6772 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) Hash String generated from leaks,ifconfig,ifconfig_t,var_log_t,file,write audit2allow suggests: #============= ifconfig_t ============== allow ifconfig_t var_log_t:file write;
this happens when I install cfengine 2.10 from the fedora 13 repos on a workstation. This version of cfengine is on maintenance mode because cfengine3 is already out, so I do not think that backporting stuff like selinux will be possible. How do I get rid of the warnings withouth turning selinux off?
You can add a dontaudit policy to stop these avc's from happening # grep ifconfig_t /var/log/audit/audit.log | audit2allow -D -M mycfengine # semodule -i mycfengine.pp We need a policy for cfengine.
this has indeed stopped the messages. Can I apply this mycfengine.pp to any redhat based linux installation? Is there a way to verify that this has been applied? I ask this because I would like to apply it with (yes) cfengine, so I want to check if this is policy exists and if it does not, apply it.
Forget my question, yes I now have read the fine manual and see that semodule -l gets me everything I need, I just need to filter its output to see mycfengine. Thanks!
Miroslav, cfengine and puppet need pretty much the same access. (Everything).
*** This bug has been marked as a duplicate of bug 505549 ***