unix_stream_socket AVC
Daniel J Walsh
dwalsh at redhat.com
Thu Sep 1 18:17:31 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/01/2011 04:33 AM, Arthur Dent wrote:
> Hello all,
>
> I did my monthly yum update on my F15 server yesterday. It brought
> down a bunch of updates including
> selinux-policy-3.9.16-35.fc15.noarch and
> selinux-policy-targeted-3.9.16-35.fc15.noarch.
>
> Since then I have been getting several AVCs related to
> "unix_stream_socket". They break into 2 types:
>
> SELinux is preventing /usr/libexec/fprintd from 'read, write'
> accesses on the unix_stream_socket unix_stream_socket.
>
> and
>
> SELinux is preventing /usr/sbin/sendmail.sendmail from 'read,
> write' accesses on the unix_stream_socket unix_stream_socket.
>
> I detail one example of each below.
>
> What should I do about these? I have no idea what might be causing
> them...
>
> Thanks
>
> Mark
>
> ==================8<=============================================
>
>
> SELinux is preventing /usr/libexec/fprintd from 'read, write'
> accesses on the unix_stream_socket unix_stream_socket.
>
> ***** Plugin catchall (50.5 confidence) suggests
> ***************************
>
> If you believe that fprintd should be allowed read write access on
> the unix_stream_socket unix_stream_socket by default. Then you
> should report this as a bug. You can generate a local policy module
> to allow this access. Do allow this access for now by executing: #
> grep fprintd /var/log/audit/audit.log | audit2allow -M mypol #
> semodule -i mypol.pp
>
> ***** Plugin leaks (50.5 confidence) suggests
> ******************************
>
> If you want to ignore fprintd trying to read write access the
> unix_stream_socket unix_stream_socket, because you believe it
> should not need this access. Then you should report this as a bug.
> You can generate a local policy module to dontaudit this access.
> Do # grep /usr/libexec/fprintd /var/log/audit/audit.log |
> audit2allow -D -M mypol # semodule -i mypol.pp
>
> Additional Information: Source Context
> system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context
> system_u:system_r:init_t:s0 Target Objects
> unix_stream_socket [ unix_stream_socket ] Source
> fprintd Source Path /usr/libexec/fprintd Port
> <Unknown> Host troodos.org.uk Source RPM
> Packages fprintd-0.2.0-3.fc15 Target RPM Packages
> Policy RPM selinux-policy-3.9.16-35.fc15
> Selinux Enabled True Policy Type
> targeted Enforcing Mode Enforcing Host Name
> troodos.org.uk Platform Linux troodos.org.uk
> 2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16 04:17:30 UTC 2011 i686
> i686 Alert Count 8 First Seen
> Tue Aug 30 10:17:09 2011 Last Seen Thu Sep 1
> 09:14:32 2011 Local ID
> f5ca1075-789c-4c8f-971d-8919dd496044
>
> Raw Audit Messages type=AVC msg=audit(1314864872.594:5072): avc:
> denied { read write } for pid=27863 comm="fprintd"
> path="socket:[14520]" dev=sockfs ino=14520
> scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>
>
> type=AVC msg=audit(1314864872.594:5072): avc: denied { read write
> } for pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs
> ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>
>
> type=SYSCALL msg=audit(1314864872.594:5072): arch=i386
> syscall=execve success=yes exit=0 a0=83a3bc0 a1=83a34e0 a2=83a3008
> a3=83a61c0 items=0 ppid=27862 pid=27863 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd
> subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
>
> Hash: fprintd,fprintd_t,init_t,unix_stream_socket,read,write
>
> audit2allow
>
> #============= fprintd_t ============== allow fprintd_t
> init_t:unix_stream_socket { read write };
>
> audit2allow -R
>
> #============= fprintd_t ============== allow fprintd_t
> init_t:unix_stream_socket { read write };
>
>
> ==================8<=============================================
>
>
> SELinux is preventing /usr/sbin/sendmail.sendmail from 'read,
> write' accesses on the unix_stream_socket unix_stream_socket.
>
> ***** Plugin catchall (50.5 confidence) suggests
> ***************************
>
> If you believe that sendmail.sendmail should be allowed read write
> access on the unix_stream_socket unix_stream_socket by default.
> Then you should report this as a bug. You can generate a local
> policy module to allow this access. Do allow this access for now by
> executing: # grep sendmail /var/log/audit/audit.log | audit2allow
> -M mypol # semodule -i mypol.pp
>
> ***** Plugin leaks (50.5 confidence) suggests
> ******************************
>
> If you want to ignore sendmail.sendmail trying to read write access
> the unix_stream_socket unix_stream_socket, because you believe it
> should not need this access. Then you should report this as a bug.
> You can generate a local policy module to dontaudit this access.
> Do # grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log |
> audit2allow -D -M mypol # semodule -i mypol.pp
>
> Additional Information: Source Context
> system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context
> system_u:system_r:init_t:s0 Target Objects
> unix_stream_socket [ unix_stream_socket ] Source
> sendmail Source Path /usr/sbin/sendmail.sendmail
> Port <Unknown> Host
> troodos.org.uk Source RPM Packages
> sendmail-8.14.5-1.fc15 Target RPM Packages Policy RPM
> selinux-policy-3.9.16-35.fc15 Selinux Enabled True
> Policy Type targeted Enforcing Mode
> Enforcing Host Name troodos.org.uk Platform
> Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16
> 04:17:30 UTC 2011 i686 i686 Alert Count 14 First
> Seen Wed Aug 31 02:20:01 2011 Last Seen
> Thu Sep 1 06:40:01 2011 Local ID
> 45c301bb-43a3-4b46-b23b-549d56586333
>
> Raw Audit Messages type=AVC msg=audit(1314855601.515:4541): avc:
> denied { read write } for pid=26981 comm="sendmail"
> path="socket:[13124]" dev=sockfs ino=13124
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>
>
> type=AVC msg=audit(1314855601.515:4541): avc: denied { read write
> } for pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs
> ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>
>
> type=SYSCALL msg=audit(1314855601.515:4541): arch=i386
> syscall=execve success=yes exit=0 a0=bfaa897c a1=bfaa67c8
> a2=bfae8fd0 a3=bfae8fd0 items=0 ppid=26963 pid=26981 auid=500
> uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=51 sgid=51
> fsgid=51 tty=(none) ses=634 comm=sendmail
> exe=/usr/sbin/sendmail.sendmail
> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
>
> Hash: sendmail,system_mail_t,init_t,unix_stream_socket,read,write
>
> audit2allow
>
> #============= system_mail_t ============== allow system_mail_t
> init_t:unix_stream_socket { read write };
>
> audit2allow -R
>
> #============= system_mail_t ============== allow system_mail_t
> init_t:unix_stream_socket { read write };
>
>
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
The analysys is correct they are a leaked file descriptor.
# grep unix_stream_socket /var/log/audit/audit.log | audit2allow -D -M
mypol
# semodule -i mypol.pp
Will tell SELinux to ignore the access.
This is probably just init handing over a unix_stream_socket as stdin
to daemons it starts and these daemons passing the descriptor along.
We probably should just dontaudit them in general.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5fzDsACgkQrlYvE4MpobNG0QCgwfg4VdjlnLdFYofTbX/x4Y2z
rCIAoIci2JXk/uHCSi9+JzMIDKAy/ZBw
=TsQO
-----END PGP SIGNATURE-----
More information about the selinux
mailing list