Summary: SELinux is preventing /sbin/setfiles access to a leaked netlink_route_socket file descriptor. Detailed Description: [restorecon has a permissive type (setfiles_t). This access was not denied.] SELinux denied access requested by the restorecon command. It looks like this is either a leaked descriptor or restorecon output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects netlink_route_socket [ netlink_route_socket ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host (removed) Source RPM Packages policycoreutils-2.0.82-4.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-121.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.32.19-163.fc12.i686 #1 SMP Wed Aug 18 11:39:59 UTC 2010 i686 athlon Alert Count 2 First Seen Sat 28 Aug 2010 10:40:32 PM MDT Last Seen Sat 28 Aug 2010 10:40:32 PM MDT Local ID faa26c80-3334-4f30-901c-b0009fdeb439 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1283056832.483:29744): avc: denied { read write } for pid=17037 comm="restorecon" path="socket:[264344]" dev=sockfs ino=264344 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=(removed) type=SYSCALL msg=audit(1283056832.483:29744): arch=40000003 syscall=11 success=yes exit=0 a0=9573f80 a1=9574010 a2=9572bc8 a3=9574010 items=0 ppid=17036 pid=17037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,restorecon,setfiles_t,unconfined_t,netlink_route_socket,read,write audit2allow suggests: #============= setfiles_t ============== allow setfiles_t unconfined_t:netlink_route_socket { read write };
Miroslav add ifdef(`hide_broken_symptoms', ` dontaudit setfiles_t $1:socket_class_set { read write }; ') To seutil_domtrans_setfiles In F12/F13. Bob, do you have any idea what you were running when this happened? We you updating software?
I just exited out of system-config-network
In my case the system was just waking up from a suspend, and for some reason came up with networking disabled. I had to restart NetworkManager to get networking back on, but the AVC occurred prior to my doing that. That's not a reproducible scenario. Normally that laptop wakes up from suspend just fine, with no AVCs. kernel-2.6.32.19-163.fc12.i686 NetworkManager-0.8.1-3.git20100813.fc12.i686 selinux-policy-3.6.32-121.fc12.noarch selinux-policy-targeted-3.6.32-121.fc12.noarch
Robert are you sure you have the same symptoms. unconfined_t should not be involved in an suspend/resume.
Created attachment 442248 [details] sealert report All I know is that sealert linked to this bug when I clicked on "Report." Here's an attachment with the full report.
Can you get it to happen again?
Yes, I've found a way to get that AVC to happen very easily. It is only indirectly related to the NetworkManager problem. If, from the System->Administration menu, I click on "Network" and supply the root password to bring up system-config-network, then I get that AVC twice. I do not see any AVCs if I invoke system-config-network from a terminal running a root shell. This is on a system where all interfaces are being controlled by NetworkManager, so system-config-network has nothing it can control anyway. Hope that helps.
THis means that something in the login procedure is leaking a link to netlink_route_socket. Perhaps xdm?
I see this in F12 x86_64 when running system-config-network and selecting File/Save (to test the fix for bug 589593). Don't believe I saw it in F13 or higher when doing the same thing. Was sent here automatically when sending the sealert report.
I got the trouble after running my laptop on low/critical power. After power plugin and restart the computer (acer extensa 5620, Fedora 12) the networking (wlan) didnt came up. Within the network manager the button/action "enable networking" couldnt be activated properly, and the console command "/etc/init.d/network restart/(or start)" failed for the wlan interface. I remember that I had the troublle many time befor. Additional commment: during the go down due to low power I watched a flash video within mozilla firefox 3.5.12.
Fixed in selinux-policy-3.6.32-123.fc12
selinux-policy-3.6.32-123.fc12 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-123.fc12
selinux-policy-3.6.32-123.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.6.32-123.fc12
selinux-policy-3.6.32-123.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.