Summary:

SELinux is preventing /sbin/setfiles access to a leaked netlink_route_socket
file descriptor.

Detailed Description:

[restorecon has a permissive type (setfiles_t). This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the netlink_route_socket. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                netlink_route_socket [ netlink_route_socket ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.74-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP
                              Sat Nov 7 21:41:45 EST 2009 i686 i686
Alert Count                   6
First Seen                    Sun 06 Nov 2011 11:29:40 PM CST
Last Seen                     Sun 06 Nov 2011 11:29:43 PM CST
Local ID                      a86ae5a7-034c-42b0-91f2-c5779c9d2284
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1320643783.749:161): avc:  denied  { read write } for  pid=4616 comm="restorecon" path="socket:[127765]" dev=sockfs ino=127765 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket

node=(removed) type=SYSCALL msg=audit(1320643783.749:161): arch=40000003 syscall=11 success=yes exit=0 a0=87cc6c8 a1=87cc758 a2=87cba30 a3=87cc758 items=0 ppid=4615 pid=4616 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,leaks,restorecon,setfiles_t,unconfined_t,netlink_route_socket,read,write
audit2allow suggests:installExceptionHandler() takes no arguments (1 given)


#============= setfiles_t ==============
allow setfiles_t unconfined_t:netlink_route_socket { read write };