pipefs AVC

Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> · Sat, 28 Aug 2010 23:36:09 +0100

I am currently writing a policy file for an application which listens to 
a particular port and also communicates with mysqld. During its start-up 
(from a script executed in init.d) I am getting the following AVCs:

=================================
type=AVC msg=audit(1283028441.852:19): avc:  denied  { read } for  
pid=1868 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951 
scontext=unconfined_u:system_r:voip_sandbox_t:s0 
tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
type=AVC msg=audit(1283028441.851:18): avc:  denied  { write } for  
pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951 
scontext=unconfined_u:system_r:voip_sandbox_t:s0 
tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1283028441.852:19): arch=40000003 syscall=3 
per=400000 success=no exit=-13 a0=6 a1=9d58864 a2=94 a3=0 items=0 
ppid=1866 pid=1868 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 
egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="voip_sandbox" 
exe="/usr/local/bin/voip_sandbox" 
subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
type=SYSCALL msg=audit(1283028441.851:18): arch=40000003 syscall=4 
per=400000 success=no exit=-13 a0=7 a1=bf894480 a2=94 a3=bf894480 
items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496 
fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 
comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox" 
subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
type=AVC msg=audit(1283028441.863:20): avc:  denied  { write } for  
pid=1866 comm="voip_sandbox" path="pipe:[11951]" dev=pipefs ino=11951 
scontext=unconfined_u:system_r:voip_sandbox_t:s0 
tcontext=unconfined_u:system_r:voip_sandbox_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1283028441.863:20): arch=40000003 syscall=4 
per=400000 success=no exit=-13 a0=7 a1=bf8945c0 a2=94 a3=bf8945c0 
items=0 ppid=1 pid=1866 auid=0 uid=496 gid=496 euid=496 suid=496 
fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 
comm="voip_sandbox" exe="/usr/local/bin/voip_sandbox" 
subj=unconfined_u:system_r:voip_sandbox_t:s0 key=(null)
=================================

Both pids 1868 and 1866 are related and spawned by the main application. 
I take it there is a pipe which needs to be created and accessible to 
both processes. How do I find out what pipe it is (name, location) and 
how do I prevent this AVCs from happening? Many thanks!
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux