Bug 732937 - SELinux is preventing /sbin/ldconfig from 'append' accesses on the chr_file /dev/tty3.
Summary: SELinux is preventing /sbin/ldconfig from 'append' accesses on the chr_file /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:c8b638e061c2b1576641bcb7cb9...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-24 08:12 UTC by Michal Nowak
Modified: 2013-03-08 02:12 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.10.0-38.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-09 19:35:47 UTC


Attachments (Terms of Use)

Description Michal Nowak 2011-08-24 08:12:58 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.0.0-1.fc16.x86_64
reason:         SELinux is preventing /sbin/ldconfig from 'append' accesses on the chr_file /dev/tty3.
time:           Wed Aug 24 10:12:42 2011

description:
:SELinux is preventing /sbin/ldconfig from 'append' accesses on the chr_file /dev/tty3.
:
:*****  Plugin leaks (50.5 confidence) suggests  ******************************
:
:If you want to ignore ldconfig trying to append access the tty3 chr_file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /sbin/ldconfig /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (50.5 confidence) suggests  ***************************
:
:If you believe that ldconfig should be allowed append access on the tty3 chr_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep ldconfig /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c102
:                              3
:Target Context                system_u:object_r:tty_device_t:s0
:Target Objects                /dev/tty3 [ chr_file ]
:Source                        ldconfig
:Source Path                   /sbin/ldconfig
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           glibc-2.14.90-4
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-15.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux nilgiri 3.0.0-1.fc16.x86_64 #1 SMP Fri Jul
:                              22 16:09:29 UTC 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    Wed 24 Aug 2011 10:11:44 AM CEST
:Last Seen                     Wed 24 Aug 2011 10:11:44 AM CEST
:Local ID                      c211495f-45f6-405c-bc3b-78c827325d11
:
:Raw Audit Messages
:type=AVC msg=audit(1314173504.293:69): avc:  denied  { append } for  pid=15478 comm="ldconfig" path="/dev/tty3" dev=devtmpfs ino=4063 scontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
:
:
:type=AVC msg=audit(1314173504.293:69): avc:  denied  { read write } for  pid=15478 comm="ldconfig" path="/dev/mapper/control" dev=devtmpfs ino=5557 scontext=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
:
:
:type=SYSCALL msg=audit(1314173504.293:69): arch=x86_64 syscall=execve success=yes exit=0 a0=265b020 a1=266c300 a2=2696a80 a3=7fffc5558830 items=0 ppid=2199 pid=15478 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=ldconfig exe=/sbin/ldconfig subj=unconfined_u:unconfined_r:ldconfig_t:s0-s0:c0.c1023 key=(null)
:
:Hash: ldconfig,ldconfig_t,tty_device_t,chr_file,append
:
:audit2allow
:
:#============= ldconfig_t ==============
:allow ldconfig_t lvm_control_t:chr_file { read write };
:allow ldconfig_t tty_device_t:chr_file append;
:
:audit2allow -R
:
:#============= ldconfig_t ==============
:allow ldconfig_t lvm_control_t:chr_file { read write };
:allow ldconfig_t tty_device_t:chr_file append;
:

Comment 1 Daniel Walsh 2011-08-26 21:30:37 UTC
What app were you running when this happened these are clearly leaks.

lvm?

Comment 2 Michal Nowak 2011-08-29 09:16:31 UTC
(In reply to comment #1)
> What app were you running when this happened these are clearly leaks.

No idea...

> lvm?

Not intentionally.


I was just exploring F16's GNOME Shell experience.

Comment 3 Daniel Walsh 2011-08-29 16:08:03 UTC
Ok well unless you can get it to happen again and figure out which app causes it, there is not much we can do.

I would figure it was some kind of control app.

Comment 4 Adam Williamson 2011-09-23 22:45:46 UTC
I hit this during a live install of F16 (using a personal build with various pre-Beta RC2 builds in it).

I'll re-open if it turns out to consistently happen during Beta rC2 live installs.

Comment 5 Kamil Páral 2011-09-27 11:33:33 UTC
I hit this when doing a default install of Fedora 16 Beta RC3 x86_64 Live. The notification popped up at the end of the installation (around bootloader installation).

Comment 6 Daniel Walsh 2011-09-27 13:16:11 UTC
It very well could be leaks from the installation program.

Comment 7 Kamil Páral 2011-09-27 14:29:54 UTC
I've seen in again, when installing on bare metal from Live image. It seems like easily reproducible. What should I do to help debug this?

Comment 8 Daniel Walsh 2011-09-29 14:30:32 UTC
It is probably something anaconda is leaking, although the append to tty_device_t might be intentional.

Comment 9 Daniel Walsh 2011-09-29 14:33:03 UTC
I added a couple of dontaudit rules to stop ldconfig_t from complaining, although these will not cause anything to break.

Should be in selinux-policy-3.10.0-35.fc16

Comment 10 Chris Lumens 2011-09-30 20:58:30 UTC
This could be anaconda's logging code:

pyanaconda/isys/log.c:    main_log_tty = fopen("/dev/tty3", "a");

I'm afraid I don't know enough about the problem space here to know what's wrong or how to fix it.  Got any pointers?

Comment 11 Daniel Walsh 2011-10-03 14:54:29 UTC
Chris you are not doing anything wrong, I think we should just dontaudit these access.

The lvm_control is the one I would like to see fixed.  Outputting to a tty is expected.

Comment 12 Fedora Update System 2011-10-04 11:16:41 UTC
selinux-policy-3.10.0-36.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16

Comment 13 Fedora Update System 2011-10-04 20:49:19 UTC
Package selinux-policy-3.10.0-36.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-36.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2011-10-09 19:35:47 UTC
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.