Bug 890435 - SELinux is preventing /usr/sbin/ethtool from 'write' accesses on the file /var/log/tuned/tuned.log.
Summary: SELinux is preventing /usr/sbin/ethtool from 'write' accesses on the file /va...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: tuned
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:fe97ed9a47d95446cd0ad801253...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-26 21:53 UTC by Fred Weigel
Modified: 2013-01-12 15:18 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-12 15:18:31 UTC


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-12-26 21:53 UTC, Fred Weigel
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-12-26 21:53 UTC, Fred Weigel
no flags Details

Description Fred Weigel 2012-12-26 21:53:51 UTC
Additional info:
libreport version: 2.0.18
kernel:         3.6.10-2.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/ethtool from 'write' accesses on the file /var/log/tuned/tuned.log.
:
:*****  Plugin leaks (86.2 confidence) suggests  ******************************
:
:If you want to ignore ethtool trying to write access the tuned.log file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /usr/sbin/ethtool /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (14.7 confidence) suggests  ***************************
:
:If you believe that ethtool should be allowed write access on the tuned.log file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep ethtool /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:ifconfig_t:s0
:Target Context                system_u:object_r:tuned_log_t:s0
:Target Objects                /var/log/tuned/tuned.log [ file ]
:Source                        ethtool
:Source Path                   /usr/sbin/ethtool
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           ethtool-3.2-2.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue
:                              Dec 11 18:07:34 UTC 2012 x86_64 x86_64
:Alert Count                   20
:First Seen                    2012-12-26 15:13:48 EST
:Last Seen                     2012-12-26 15:32:50 EST
:Local ID                      64cbfe4f-e6b5-488f-a586-8ca38d45c567
:
:Raw Audit Messages
:type=AVC msg=audit(1356553970.628:705): avc:  denied  { write } for  pid=29711 comm="ethtool" path="/var/log/tuned/tuned.log" dev="dm-1" ino=262182 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:tuned_log_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1356553970.628:705): arch=x86_64 syscall=execve success=yes exit=0 a0=7fcb4005cc10 a1=7fcb400073e0 a2=7fff4334e6a8 a3=20 items=0 ppid=836 pid=29711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ethtool exe=/usr/sbin/ethtool subj=system_u:system_r:ifconfig_t:s0 key=(null)
:
:Hash: ethtool,ifconfig_t,tuned_log_t,file,write
:
:audit2allow
:
:#============= ifconfig_t ==============
:allow ifconfig_t tuned_log_t:file write;
:
:audit2allow -R
:
:#============= ifconfig_t ==============
:allow ifconfig_t tuned_log_t:file write;
:


Potential duplicate bug: 751851

Comment 1 Fred Weigel 2012-12-26 21:53:54 UTC
Created attachment 669398 [details]
File: type

Comment 2 Fred Weigel 2012-12-26 21:53:56 UTC
Created attachment 669399 [details]
File: hashmarkername

Comment 3 Miroslav Grepl 2012-12-27 11:08:32 UTC
Looks like tuned is leaking a file descriptor to its log file, or it is passing this as stdout?

Comment 4 Daniel Walsh 2012-12-27 16:16:29 UTC
If it is passing it as stdout can you open it for append rather then write.

Eric, is there anyway to know which file descriptor is being used?  If we could determine STDIN or STDERR we could assume it is intentional versus a different FD, is a leak.

Comment 5 Eric Paris 2012-12-27 16:26:19 UTC
There is no way today, but we could include that in the AVC...

Comment 6 Jaroslav Škarvada 2013-01-02 14:53:00 UTC
I am not able to reproduce this particular AVC, but I confirm that the FD is leaking. I will provide the fix soon.

Comment 7 Jaroslav Škarvada 2013-01-02 15:16:23 UTC
Upstream commit:
http://git.fedorahosted.org/cgit/tuned.git/commit/?id=cf71606eaf9b6c8a099044bf9764de42afca3956

The backport to F17 will follow.

Comment 8 Fedora Update System 2013-01-02 15:47:21 UTC
tuned-2.0.1-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/tuned-2.0.1-5.fc17

Comment 9 Fedora Update System 2013-01-02 16:21:30 UTC
tuned-2.1.2-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/tuned-2.1.2-1.fc18

Comment 10 Fedora Update System 2013-01-02 20:18:49 UTC
Package tuned-2.1.2-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing tuned-2.1.2-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0068/tuned-2.1.2-1.fc18
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-01-12 15:18:33 UTC
tuned-2.0.1-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.