Additional info: libreport version: 2.0.18 kernel: 3.6.10-2.fc17.x86_64 description: :SELinux is preventing /usr/sbin/ethtool from 'write' accesses on the file /var/log/tuned/tuned.log. : :***** Plugin leaks (86.2 confidence) suggests ****************************** : :If you want to ignore ethtool trying to write access the tuned.log file, because you believe it should not need this access. :Then you should report this as a bug. :You can generate a local policy module to dontaudit this access. :Do :# grep /usr/sbin/ethtool /var/log/audit/audit.log | audit2allow -D -M mypol :# semodule -i mypol.pp : :***** Plugin catchall (14.7 confidence) suggests *************************** : :If you believe that ethtool should be allowed write access on the tuned.log file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep ethtool /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:ifconfig_t:s0 :Target Context system_u:object_r:tuned_log_t:s0 :Target Objects /var/log/tuned/tuned.log [ file ] :Source ethtool :Source Path /usr/sbin/ethtool :Port <Unknown> :Host (removed) :Source RPM Packages ethtool-3.2-2.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-161.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue : Dec 11 18:07:34 UTC 2012 x86_64 x86_64 :Alert Count 20 :First Seen 2012-12-26 15:13:48 EST :Last Seen 2012-12-26 15:32:50 EST :Local ID 64cbfe4f-e6b5-488f-a586-8ca38d45c567 : :Raw Audit Messages :type=AVC msg=audit(1356553970.628:705): avc: denied { write } for pid=29711 comm="ethtool" path="/var/log/tuned/tuned.log" dev="dm-1" ino=262182 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:tuned_log_t:s0 tclass=file : : :type=SYSCALL msg=audit(1356553970.628:705): arch=x86_64 syscall=execve success=yes exit=0 a0=7fcb4005cc10 a1=7fcb400073e0 a2=7fff4334e6a8 a3=20 items=0 ppid=836 pid=29711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ethtool exe=/usr/sbin/ethtool subj=system_u:system_r:ifconfig_t:s0 key=(null) : :Hash: ethtool,ifconfig_t,tuned_log_t,file,write : :audit2allow : :#============= ifconfig_t ============== :allow ifconfig_t tuned_log_t:file write; : :audit2allow -R : :#============= ifconfig_t ============== :allow ifconfig_t tuned_log_t:file write; : Potential duplicate bug: 751851
Created attachment 669398 [details] File: type
Created attachment 669399 [details] File: hashmarkername
Looks like tuned is leaking a file descriptor to its log file, or it is passing this as stdout?
If it is passing it as stdout can you open it for append rather then write. Eric, is there anyway to know which file descriptor is being used? If we could determine STDIN or STDERR we could assume it is intentional versus a different FD, is a leak.
There is no way today, but we could include that in the AVC...
I am not able to reproduce this particular AVC, but I confirm that the FD is leaking. I will provide the fix soon.
Upstream commit: http://git.fedorahosted.org/cgit/tuned.git/commit/?id=cf71606eaf9b6c8a099044bf9764de42afca3956 The backport to F17 will follow.
tuned-2.0.1-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/tuned-2.0.1-5.fc17
tuned-2.1.2-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/tuned-2.1.2-1.fc18
Package tuned-2.1.2-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing tuned-2.1.2-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-0068/tuned-2.1.2-1.fc18 then log in and leave karma (feedback).
tuned-2.0.1-5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.