Bug 974325 - SELinux is preventing /usr/bin/kmod from 'write' accesses on the file /tmp/ffi87eUX8 (deleted).
SELinux is preventing /usr/bin/kmod from 'write' accesses on the file /tmp/ff...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:911e57aa6cfebabea62b31eaeee...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-13 21:16 EDT by Moez Roy
Modified: 2013-06-14 23:07 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-52.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-14 23:07:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Moez Roy 2013-06-13 21:16:55 EDT
Description of problem:
SELinux is preventing /usr/bin/kmod from 'write' accesses on the file /tmp/ffi87eUX8 (deleted).

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore kmod trying to write access the ffi87eUX8 (deleted) file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/kmod /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that kmod should be allowed write access on the ffi87eUX8 (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep modprobe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:insmod_t:s0
Target Context                system_u:object_r:firewalld_tmp_t:s0
Target Objects                /tmp/ffi87eUX8 (deleted) [ file ]
Source                        modprobe
Source Path                   /usr/bin/kmod
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kmod-13-2.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-48.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.4-301.fc19.x86_64 #1 SMP Tue
                              Jun 4 00:30:04 UTC 2013 x86_64 x86_64
Alert Count                   22
First Seen                    2013-06-13 21:12:02 EDT
Last Seen                     2013-06-13 21:12:03 EDT
Local ID                      5f95783a-b133-45da-96a1-a90e5c5cb041

Raw Audit Messages
type=AVC msg=audit(1371172323.362:516): avc:  denied  { write } for  pid=2737 comm="modprobe" path=2F746D702F666669383765555838202864656C6574656429 dev="tmpfs" ino=15010 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:firewalld_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1371172323.362:516): arch=x86_64 syscall=execve success=yes exit=0 a0=110bce0 a1=1108050 a2=1066200 a3=7fff25e40680 items=0 ppid=292 pid=2737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:insmod_t:s0 key=(null)

Hash: modprobe,insmod_t,firewalld_tmp_t,file,write

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-301.fc19.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2013-06-14 01:29:11 EDT
This is a leak.

commit 2985e4ef98960a90ee65a5b349b6bd7f197f74c9
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Jun 14 07:28:54 2013 +0200

    Dontaudit leak fd from firewalld for modprobe
Comment 2 Fedora Update System 2013-06-14 03:24:18 EDT
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Comment 3 Fedora Update System 2013-06-14 23:07:15 EDT
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.