pipefs AVC
Dominick Grift
domg472 at gmail.com
Sun Aug 29 10:48:27 UTC 2010
On 08/29/2010 12:36 AM, Mr Dash Four wrote:
> I am currently writing a policy file for an application which listens to
> a particular port and also communicates with mysqld. During its start-up
> (from a script executed in init.d) I am getting the following AVCs:
>
> =================================
> type=AVC msg=audit(1283028441.852:19): avc: denied { read } for
> pid=1868 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=AVC msg=audit(1283028441.851:18): avc: denied { write } for
> pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1283028441.852:19): arch=40000003 syscall=3
> per=400000 success=no exit=-13 a0=6 a1=9d58864 a2=94 a3=0 items=0
> ppid=1866 pid=1868 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496
> egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="voip_sandbox"
> exe="/usr/local/bin/voip_sandbox"
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> type=SYSCALL msg=audit(1283028441.851:18): arch=40000003 syscall=4
> per=400000 success=no exit=-13 a0=7 a1=bf894480 a2=94 a3=bf894480
> items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496
> fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1
> comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox"
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> type=AVC msg=audit(1283028441.863:20): avc: denied { write } for
> pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1283028441.863:20): arch=40000003 syscall=4
> per=400000 success=no exit=-13 a0=7 a1=bf8945c0 a2=94 a3=bf8945c0
> items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496
> fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1
> comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox"
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> =================================
>
> Both pids 1868 and 1866 are related and spawned by the main application.
> I take it there is a pipe which needs to be created and accessible to
> both processes. How do I find out what pipe it is (name, location) and
> how do I prevent this AVCs from happening? Many thanks!
its a fifo_file on device pipefs with name/path: pipe:[11951]
This type of internal communication is very common. We use the following
policy for this:
allow voip_sandbox_t self:fifo_file rw_fifo_file_perms;
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100829/03e5d4bf/attachment.bin
More information about the selinux
mailing list