SELinux is flagging eventpoll, not sure what that is?
I'm not sure what is being flagged by SELinux. 3rd party software? Something that is being described as eventpoll. I tried to use find or ps to find eventpoll and can't find the file or process. Google search didn't have much either.
So I'm not sure if this is something that should be ignored or logged? I think I know the vendor, however I want to gather as much info upfront before I go to them and ask.
This is what logging is showing me:
Jul 24 13:42:32 hsotname setroubleshoot: SELinux is preventing /sbin/ifconfig from 'read, write' accesses on the file [eventpoll]. For complete SELinux messages. run sealert -l 519bc934-b8bc-427f-9177-0bb8828ea8ed
Jul 24 13:42:34 hostname setroubleshoot: SELinux is preventing /sbin/ifconfig from 'read, write' accesses on the file [eventpoll]. For complete SELinux messages. run sealert -l be5350be-ddb1-4def-817d-8ad63cc90e1f
The sealert is showing the following:
[root@hostname ~]# sealert -l 519bc934-b8bc-427f-9177-0bb8828ea8ed
SELinux is preventing /sbin/ifconfig from 'read, write' accesses on the file [eventpoll].
***** Plugin leaks (86.2 confidence) suggests ******************************
If you want to ignore ifconfig trying to read write access the [eventpoll] file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/ifconfig /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (14.7 confidence) suggests ***************************
If you believe that ifconfig should be allowed read write access on the [eventpoll] file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ifconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:ifconfig_t:s0
Target Context system_u:object_r:anon_inodefs_t:s0
Target Objects [eventpoll] [ file ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host
Source RPM Packages net-tools-1.60-114.el6.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.7.19-307.el6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name
Platform Linux
2.6.32-642.6.2.el6.x86_64 #1 SMP Mon Oct 24
10:22:33 EDT 2016 x86_64 x86_64
Alert Count 5672
First Seen Sun 23 Jul 2017 01:48:46 PM CDT
Last Seen Mon 24 Jul 2017 01:43:28 PM CDT
Local ID 519bc934-b8bc-427f-9177-0bb8828ea8ed
Raw Audit Messages
type=AVC msg=audit(1500921808.611:24022): avc: denied { read write } for pid=5158 comm="ifconfig" path="[eventpoll]" dev=anon_inodefs ino=4021 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=f ile
type=SYSCALL msg=audit(1500921808.611:24022): arch=x86_64 syscall=execve success=yes exit=0 a0=2331290 a1=232aa30 a2=232 d340 a3=18 items=2 ppid=5156 pid=5158 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ifconfig exe=/sbin/ifconfig subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=CWD msg=audit(1500921808.611:24022): cwd=/opt/commvault
type=PATH msg=audit(1500921808.611:24022): item=0 name=/sbin/ifconfig inode=130951 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ifconfig_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1500921808.611:24022): item=1 name=(null) inode=915716 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
Hash: ifconfig,ifconfig_t,anon_inodefs_t,file,read,write
audit2allow
#============= ifconfig_t ==============
allow ifconfig_t anon_inodefs_t:file { read write };
audit2allow -R
#============= ifconfig_t ==============
allow ifconfig_t anon_inodefs_t:file { read write };