SELinux is preventing /sbin/consoletype from 'write' accesses on the fifo_file fifo_file. ***** Plugin leaks (50.5 confidence) suggests ****************************** If you want to ignore consoletype trying to write access the fifo_file fifo_file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (50.5 confidence) suggests *************************** If you believe that consoletype should be allowed write access on the fifo_file fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:consoletype_t:s0-s0:c0.c1023 Target Context system_u:system_r:udev_t:s0-s0:c0.c1023 Target Objects fifo_file [ fifo_file ] Source consoletype Source Path /sbin/consoletype Port <Неизвестно> Host (removed) Source RPM Packages initscripts-9.20.2-1.fc14.1 Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06 UTC 2011 x86_64 x86_64 Alert Count 4 First Seen Втр 17 Май 2011 09:38:19 Last Seen Втр 17 Май 2011 09:39:29 Local ID de3712c1-cfe4-448d-8679-cf27d7a7f39d Raw Audit Messages type=AVC msg=audit(1305610769.186:226): avc: denied { write } for pid=11515 comm="consoletype" path="pipe:[1209537]" dev=pipefs ino=1209537 scontext=system_u:system_r:consoletype_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1305610769.186:226): arch=x86_64 syscall=execve success=yes exit=0 a0=25645f0 a1=2562590 a2=2560900 a3=0 items=0 ppid=11514 pid=11515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=consoletype exe=/sbin/consoletype subj=system_u:system_r:consoletype_t:s0-s0:c0.c1023 key=(null) Hash: consoletype,consoletype_t,udev_t,fifo_file,write audit2allow #============= consoletype_t ============== allow consoletype_t udev_t:fifo_file write; audit2allow -R #============= consoletype_t ============== allow consoletype_t udev_t:fifo_file write;
Can you reproduce this issue? I don't see how this would be needed. udev runs consoletype in the udev_t domain.
This is a transition problem. udev_t transitioned to another domain, which transitioned to consoletype_t. Likely culpret sysnet_domtrans_dhcpc(udev_t) So the fifo_file opened by udev is eventually handed to consoletype and SELinux blocks the access. Probably should just turn on the domtrans and deal with the leaked file descriptors.
My attempt to fix this is in master branch: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=ae7b2255d6993dbd63d0a1342f05e6282c19551d
Fixed in selinux-policy-3.9.7-42.fc14
selinux-policy-3.9.7-42.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
Package selinux-policy-3.9.7-42.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-42.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14 then log in and leave karma (feedback).
selinux-policy-3.9.7-42.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.