Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 616358 - SELinux is preventing /sbin/modprobe access to a leaked fifo_file file descriptor.
SELinux is preventing /sbin/modprobe access to a leaked fifo_file file descri...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
: RHELNAK, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-20 05:10 EDT by Matěj Cepl
Modified: 2012-10-15 11:17 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-33.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:35:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2010-07-20 05:10:27 EDT
Souhrn:

SELinux is preventing /sbin/modprobe access to a leaked fifo_file file
descriptor.

Podrobný popis:

[modprobe je v toleratním režimu (insmod_t). Přístup byl povolen.]

SELinux denied access requested by the modprobe command. It looks like this is
either a leaked descriptor or modprobe output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the fifo_file. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Další informace:

Kontext zdroje                system_u:system_r:insmod_t:s0-s0:c0.c1023
Kontext cíle                 system_u:system_r:virtd_t:s0-s0:c0.c1023
Objekty cíle                 fifo_file [ fifo_file ]
Zdroj                         modprobe
Cesta zdroje                  /sbin/modprobe
Port                          <Neznámé>
Počítač                    johanka.ceplovi.cz
RPM balíčky zdroje          module-init-tools-3.9-15.el6
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.19-32.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     leaks
Název počítače            johanka.ceplovi.cz
Platforma                     Linux johanka.ceplovi.cz 2.6.32-44.1.el6.x86_64 #1
                              SMP Wed Jul 14 18:51:29 EDT 2010 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Po 19. červenec 2010, 18:31:35 CEST
Naposledy viděno             Po 19. červenec 2010, 18:31:35 CEST
Místní ID                   d554c034-1ed8-45e8-b292-4163ce8589bf
Čísla řádků              

Původní zprávy auditu      

node=johanka.ceplovi.cz type=AVC msg=audit(1279557095.616:12): avc:  denied  { write } for  pid=1986 comm="modprobe" path="pipe:[15870]" dev=pipefs ino=15870 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file

node=johanka.ceplovi.cz type=AVC msg=audit(1279557095.616:12): avc:  denied  { write } for  pid=1986 comm="modprobe" path="pipe:[15853]" dev=pipefs ino=15853 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file

node=johanka.ceplovi.cz type=SYSCALL msg=audit(1279557095.616:12): arch=c000003e syscall=59 success=yes exit=0 a0=ca1730 a1=7fff4b4f5e70 a2=7fff4b4f60c0 a3=7f42007129d0 items=0 ppid=1982 pid=1986 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null)
Comment 2 Matěj Cepl 2010-07-20 05:29:30 EDT
Version of packages:
johanka:bugzilla-triage$ rpm -qa \*qemu\* \*virt\*
libvirt-devel-0.8.1-15.el6.x86_64
qemu-img-0.12.1.2-2.96.el6.x86_64
virt-viewer-0.2.1-2.el6.x86_64
virt-v2v-0.6.1-1.el6.x86_64
libvirt-client-0.8.1-15.el6.x86_64
libvirt-0.8.1-15.el6.x86_64
python-virtinst-0.500.3-5.el6.noarch
qemu-kvm-tools-0.12.1.2-2.96.el6.x86_64
libvirt-debuginfo-0.8.1-15.el6.x86_64
virt-manager-0.8.4-7.el6.noarch
libvirt-python-0.8.1-15.el6.x86_64
qemu-kvm-0.12.1.2-2.96.el6.x86_64
gpxe-roms-qemu-0.9.7-6.3.el6.noarch
Comment 3 RHEL Product and Program Management 2010-07-20 05:37:50 EDT
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 4 Miroslav Grepl 2010-07-20 07:25:30 EDT
This looks like a leaked file descriptor.
Comment 5 Daniel Berrange 2010-07-20 07:30:01 EDT
What were you doing to trigger this problem ?
Comment 6 Daniel Walsh 2010-07-20 09:30:19 EDT
No this is not a leak.  It is a redirection of stdout.


virtd_t @ lvm_exec_t -> lvm_t @ insmod_exec_t ->insmod_t

lvm_domtrans(virtd_t) allows lvm_t to {read write} virtd_t:fifo_files. Since this is stdin and stdout for lvm,  But when lvm executes insmod_t it also just passes along the stdout/stdin to insmod_t, which ends up with this avc since we are not allowing lvm_t to pass on the open file descriptors.

Miroslav you have to add this allow for insmod_t.

And SELinux policy writers have to find a better way of incoding this behaviour into policy.
Comment 7 Daniel Walsh 2010-07-20 09:32:11 EDT
Rawhide now has

optional_policy(`
	virt_dontaudit_write_pipes(insmod_t)
')

########################################
## <summary>
##	Do not audit attempts to write virt daemon unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`virt_dontaudit_write_pipes',`
	gen_require(`
		type virtd_t;
	')

	dontaudit $1 virtd_t:fifo_file write;
')
Comment 8 Miroslav Grepl 2010-07-21 11:15:06 EDT
Fixed in selinux-policy-3.7.19-33.el6.noarch
Comment 11 releng-rhel@redhat.com 2010-11-10 16:35:21 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.