Hide Forgot
Description of problem: See subject. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-56.fc16.noarch selinux-policy-targeted-3.10.0-56.fc16.noarch How reproducible: No idea. Steps to Reproduce: No idea. I was building an f15 package in a local mock-chroot on F16 when SELinux rose this warning. Actual results: # sealert -l 478fdd4d-9d85-438c-8603-b05deba84576 SELinux is preventing /sbin/consoletype from read access on the chr_file /dev/null. ***** Plugin restorecon (98.5 confidence) suggests ************************* If you want to fix the label. /dev/null default label should be null_device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/null ***** Plugin leaks (1.48 confidence) suggests ****************************** If you want to ignore consoletype trying to read access the null chr_file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (1.48 confidence) suggests *************************** If you believe that consoletype should be allowed read access on the null chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional info: I am occasionally observing f15-mock chroots to do bizarre things (e.g. to kill ypbind). My guess is something in f15 or in mock is massively leaking.
Update: This SEalert seems to originate from a package's _testsuite_, which deliberately tries to open /dev/null for reading.
Could you add full AVC msg? # grep consoletype /var/log/audit/audit.log
Here it is: # grep consoletype /var/log/audit/audit.log type=AVC msg=audit(1322290024.889:2186): avc: denied { read } for pid=1433 comm="consoletype" path="/dev/null" dev=sda3 ino=2359815 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1322290024.889:2186): avc: denied { write } for pid=1433 comm="consoletype" path="/dev/null" dev=sda3 ino=2359815 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=SYSCALL msg=audit(1322290024.889:2186): arch=c000003e syscall=59 success=yes exit=0 a0=6fc9d0 a1=707140 a2=707390 a3=7fffd43437b0 items=0 ppid=1432 pid=1433 auid=8690 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null) FYI: I meanwhile have a deterministic reproducer: One of these is rebuilding the perl-Plack package (From Fedora's git/master or rawhide) in a fedora-rawhide mock on fedora-16.
Another reproducer: Rebuild the perl-Starlet package from fedora's git in mock on fedora-16.
We have the similar bug. *** This bug has been marked as a duplicate of bug 745287 ***