Stephen Croll wrote:
Note: Originally posted to fedora-list.
The "setroubleshoot browser" is reporting the following issues on Fedora 9:
SELinux is preventing kerneloops (kerneloops_t) "signal" to <Unknown> (kerneloops_t). SELinux is preventing dhclient (dhcpc_t) "read write" to socket (unconfined_t).
The first issue occurred on boot, but no longer seems to be happening. The second issue occurs when I bring up eth0.
Should I file a bug report, or might there be something more sinister going on?
For reference, the complete reports are as follows:
Summary:
SELinux is preventing kerneloops (kerneloops_t) "signal" to <Unknown> (kerneloops_t).
Detailed Description:
SELinux denied access requested by kerneloops. It is not expected that this access is required by kerneloops and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:kerneloops_t:s0 Target Context system_u:system_r:kerneloops_t:s0 Target Objects None [ process ] Source kerneloops Source Path /usr/sbin/kerneloops Port <Unknown> Host gerbil Source RPM Packages kerneloops-0.11-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gerbil Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1 SMP Mon Aug 4 13:46:35 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Sun 07 Sep 2008 03:21:55 AM CDT Last Seen Sun 07 Sep 2008 03:21:55 AM CDT Local ID fa4c1bd0-faf1-48ba-ba55-74285538ef90 Line Numbers Raw Audit Messages host=gerbil type=AVC msg=audit(1220775715.59:8): avc: denied { signal } for pid=2363 comm="kerneloops" scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=process
host=gerbil type=SYSCALL msg=audit(1220775715.59:8): arch=c000003e syscall=234 success=no exit=-13 a0=93b a1=93b a2=6 a3=8 items=0 ppid=1 pid=2363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0 key=(null)
-and-
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" to socket (unconfined_t).
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port <Unknown> Host gerbil Source RPM Packages dhclient-4.0.0-14.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gerbil Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1 SMP Mon Aug 4 13:46:35 EDT 2008 x86_64 x86_64 Alert Count 16 First Seen Sun 07 Sep 2008 12:56:48 AM CDT Last Seen Sun 07 Sep 2008 03:23:07 AM CDT Local ID a3b5492a-0ef2-4cc3-bdd0-4c06696bae70 Line Numbers Raw Audit Messages host=gerbil type=AVC msg=audit(1220775787.407:21): avc: denied { read write } for pid=3069 comm="dhclient" path="socket:[68728]" dev=sockfs ino=68728 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
host=gerbil type=SYSCALL msg=audit(1220775787.407:21): arch=c000003e syscall=59 success=yes exit=0 a0=948530 a1=94ad90 a2=8f0d70 a3=3f48f67a70 items=0 ppid=2970 pid=3069 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
kerneloops needing signal is a bug in selinux-policy.
You can allow this for now.
# audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp
Fixed in selinux-policy-3.3.1-89.fc9.noarch
The dhcp_t (/sbin/dhclient) trying to read/write an unconfined_t unix_stream_socket, is a leaked file descriptor. So it is a bug in some application that you are using to bring up your network. What app are you using for this?