fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: pipefs AVC

Re: pipefs AVC

From: Dominick Grift <domg472_at_nospam>
Date: Sun Aug 29 2010 - 10:48:27 GMT
To: selinux@lists.fedoraproject.org

On 08/29/2010 12:36 AM, Mr Dash Four wrote:
> I am currently writing a policy file for an application which listens to
> a particular port and also communicates with mysqld. During its start-up
> (from a script executed in init.d) I am getting the following AVCs:
>
> =================================
> type=AVC msg=audit(1283028441.852:19): avc: denied { read } for
> pid=1868 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=AVC msg=audit(1283028441.851:18): avc: denied { write } for
> pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1283028441.852:19): arch=40000003 syscall=3
> per=400000 success=no exit=-13 a0=6 a1=9d58864 a2=94 a3=0 items=0
> ppid=1866 pid=1868 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496
> egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="voip_sandbox"
> exe="/usr/local/bin/voip_sandbox"
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> type=SYSCALL msg=audit(1283028441.851:18): arch=40000003 syscall=4
> per=400000 success=no exit=-13 a0=7 a1=bf894480 a2=94 a3=bf894480
> items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496
> fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1
> comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox"
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> type=AVC msg=audit(1283028441.863:20): avc: denied { write } for
> pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951
> scontext=unconfined_u:system_r:voip_sandbox_t:s0
> tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1283028441.863:20): arch=40000003 syscall=4
> per=400000 success=no exit=-13 a0=7 a1=bf8945c0 a2=94 a3=bf8945c0
> items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496
> fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1
> comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox"
> subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
> =================================
>
> Both pids 1868 and 1866 are related and spawned by the main application.
> I take it there is a pipe which needs to be created and accessible to
> both processes. How do I find out what pipe it is (name, location) and
> how do I prevent this AVCs from happening? Many thanks!

its a fifo_file on device pipefs with name/path: pipe:[11951]

This type of internal communication is very common. We use the following
policy for this:

allow voip_sandbox_t self:fifo_file rw_fifo_file_perms;

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux