Hide Forgot
Description of problem: found by accident Version-Release number of selected component (if applicable): selinux-policy-mls-3.7.19-80.el6.noarch selinux-policy-doc-3.7.19-80.el6.noarch selinux-policy-3.7.19-80.el6.noarch selinux-policy-targeted-3.7.19-80.el6.noarch selinux-policy-minimum-3.7.19-80.el6.noarch How reproducible: always Steps to Reproduce: (the kernel booted up with enforcing=0, root is logged in via console) # id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # runlevel S 3 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: mls # run_init service libvirtd status Authenticating root. Password: libvirtd is stopped # run_init service libvirtd start Authenticating root. Password: Starting libvirtd daemon: [ OK ] Bridge firewalling registered tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <maxk> device virbr0-nic entered promiscuous mode virbr0: starting userspace STP failed, starting kernel STP ip_tables: (C) 2000-2006 Netfilter Core Team nf_conntrack version 0.5.0 (16384 buckets, 65536 max) Ebtables v2.0 registered ip6_tables: (C) 2000-2006 Netfilter Core Team lo: Disabled Privacy Extensions # Actual results: ---- time->Wed Mar 30 10:08:23 2011 type=SYSCALL msg=audit(1301494103.277:85): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff3b0fc a2=cffff4 a3=3 items=0 ppid=2033 pid=2045 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1301494103.277:85): avc: denied { getattr } for pid=2045 comm="modprobe" path="pipe:[15441]" dev=pipefs ino=15441 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tclass=fifo_file ---- Expected results: no AVCs
When I repeat the same procedure in enforcing mode I see no AVCs.
This looks like virtd is leaking an open file descriptor to a fifo_file. Proabbly stdin/stdout/stderr.
I think we only care about enforcing mode.