Summary: SELinux is preventing /sbin/consoletype access to a leaked netlink_route_socket file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the consoletype command. It looks like this is either a leaked descriptor or consoletype output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:consoletype_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects netlink_route_socket [ netlink_route_socket ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host (removed) Source RPM Packages initscripts-9.20.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Tue 05 Oct 2010 03:14:32 PM PDT Last Seen Tue 05 Oct 2010 03:26:23 PM PDT Local ID e9cde653-181c-487c-9da9-e4d3d5a892e5 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1286317583.691:27500): avc: denied { read write } for pid=7001 comm="consoletype" path="socket:[194112]" dev=sockfs ino=194112 scontext=unconfined_u:system_r:consoletype_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=(removed) type=SYSCALL msg=audit(1286317583.691:27500): arch=c000003e syscall=59 success=yes exit=0 a0=dd7890 a1=dd78f0 a2=dd8c00 a3=0 items=0 ppid=7000 pid=7001 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,consoletype,consoletype_t,unconfined_t,netlink_route_socket,read,write audit2allow suggests: #============= consoletype_t ============== allow consoletype_t unconfined_t:netlink_route_socket { read write };
This happened while using system-config-network to deactivate/activate networking in a configuration without NetworkManager. The denial in Bug 632812, Comment 3 happened at the same time.
This is a leaked file descriptor. I am not sure where the leak is occurring. What are you using for password database? Ldap?
(In reply to comment #2) > This is a leaked file descriptor. > > I am not sure where the leak is occurring. What are you using for password > database? Ldap? Whatever the default is for a gnome desktop install. I do not get avc denials in enforcing mode, but I do see an error message(s?) about stderr flash by in a text box when enabling networking (after disabling) with system-config-network. With strace I was able to capture some error messages. Full log to follow. $ sudo strace -f -e write=1,2 system-config-network 2>x8.strace $ less -N x8.strace ... 31614 [pid 4391] rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER, 0x383f8340e0}, {0x43f4e0, [], SA_RESTORER, 0x383f8340e0}, 8) = 0 31615 [pid 4391] open("/dev/stderr", O_RDONLY) = -1 EACCES (Permission denied) 31616 [pid 4391] open("/dev/stderr", O_RDONLY) = -1 EACCES (Permission denied) 31617 [pid 4391] fstat(2, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 31618 [pid 4391] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fca4112a000 31619 [pid 4391] write(2, "/etc/init.d/functions: line 51: "..., 63 <unfinished ...> 31620 [pid 4270] <... select resumed> ) = 1 (in [19], left {0, 12896}) ... 31643 [pid 4270] select(20, [19], [], [], {0, 100000} <unfinished ...> 31644 [pid 4391] <... write resumed> ) = 63 31645 | 00000 2f 65 74 63 2f 69 6e 69 74 2e 64 2f 66 75 6e 63 /etc/ini t.d/func | 31646 | 00010 74 69 6f 6e 73 3a 20 6c 69 6e 65 20 35 31 3a 20 tions: l ine 51: | 31647 | 00020 2f 64 65 76 2f 73 74 64 65 72 72 3a 20 50 65 72 /dev/std err: Per | 31648 | 00030 6d 69 73 73 69 6f 6e 20 64 65 6e 69 65 64 0a mission denied. | 31649 [pid 4391] exit_group(1) = ? 31650 Process 4390 resumed 31651 Process 4391 detached ...
Created attachment 451932 [details] strace log while running system-config-network $ sudo strace -f -e write=1,2 system-config-network 2>x8.strace
The strace log was captured with these packages installed: $ rpm -qa 'selinux*' initscripts system-config-network | sort initscripts-9.20.1-1.fc14.x86_64 selinux-policy-3.9.5-10.fc14.noarch selinux-policy-targeted-3.9.5-10.fc14.noarch system-config-network-1.6.1-1.fc14.noarch
This looks like system-config-network is leaking an open file descriptor to consoletype. I think the leak happens from system-config-network running as unconfined_t which executes dhclient transitioning to dhpc_t which then transitions to consolettype_t. In enforcing mode dhpc_t closes the open unconfined_t descriptor and there is a dontaudit rule. But in permissive mode the open descriptor is not closed so it ends up going to consoletype_t.
*** Bug 677793 has been marked as a duplicate of this bug. ***
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping