pipefs AVC

Dominick Grift domg472 at gmail.com
Sun Aug 29 10:48:27 UTC 2010 

On 08/29/2010 12:36 AM, Mr Dash Four wrote:
> I am currently writing a policy file for an application which listens to 
> a particular port and also communicates with mysqld. During its start-up 
> (from a script executed in init.d) I am getting the following AVCs:
> 
> =================================
> type=AVC msg=audit(1283028441.852:19): avc:  denied  { read } for  
> pid=1868 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951 
> scontext=unconfined_u:system_r:voip_sandbox_t:s0 
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=AVC msg=audit(1283028441.851:18): avc:  denied  { write } for  
> pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951 
> scontext=unconfined_u:system_r:voip_sandbox_t:s0 
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1283028441.852:19): arch=40000003 syscall=3 
> per=400000 success=no exit=-13 a0=6 a1=9d58864 a2=94 a3=0 items=0 
> ppid=1866 pid=1868 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 
> egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="voip_sandbox" 
> exe="/usr/local/bin/voip_sandbox" 
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> type=SYSCALL msg=audit(1283028441.851:18): arch=40000003 syscall=4 
> per=400000 success=no exit=-13 a0=7 a1=bf894480 a2=94 a3=bf894480 
> items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496 
> fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 
> comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox" 
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> type=AVC msg=audit(1283028441.863:20): avc:  denied  { write } for  
> pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951 
> scontext=unconfined_u:system_r:voip_sandbox_t:s0 
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1283028441.863:20): arch=40000003 syscall=4 
> per=400000 success=no exit=-13 a0=7 a1=bf8945c0 a2=94 a3=bf8945c0 
> items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496 
> fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 
> comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox" 
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> =================================
> 
> Both pids 1868 and 1866 are related and spawned by the main application. 
> I take it there is a pipe which needs to be created and accessible to 
> both processes. How do I find out what pipe it is (name, location) and 
> how do I prevent this AVCs from happening? Many thanks!

its a fifo_file on device pipefs with name/path: pipe:[11951]

This type of internal communication is very common. We use the following
policy for this:

allow voip_sandbox_t self:fifo_file rw_fifo_file_perms;

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100829/03e5d4bf/attachment.bin

More information about the selinux mailing list