SELinux is flagging eventpoll, not sure what that is?

Posted on

I'm not sure what is being flagged by SELinux. 3rd party software? Something that is being described as eventpoll. I tried to use find or ps to find eventpoll and can't find the file or process. Google search didn't have much either.

So I'm not sure if this is something that should be ignored or logged? I think I know the vendor, however I want to gather as much info upfront before I go to them and ask.

This is what logging is showing me:

Jul 24 13:42:32 hsotname setroubleshoot: SELinux is preventing /sbin/ifconfig from 'read, write' accesses on the file [eventpoll]. For complete SELinux messages. run sealert -l 519bc934-b8bc-427f-9177-0bb8828ea8ed

Jul 24 13:42:34 hostname setroubleshoot: SELinux is preventing /sbin/ifconfig from 'read, write' accesses on the file [eventpoll]. For complete SELinux messages. run sealert -l be5350be-ddb1-4def-817d-8ad63cc90e1f

The sealert is showing the following:

[root@hostname ~]# sealert -l 519bc934-b8bc-427f-9177-0bb8828ea8ed
SELinux is preventing /sbin/ifconfig from 'read, write' accesses on the file [eventpoll].

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore ifconfig trying to read write access the [eventpoll] file, because you believe it should not need                                                                                         this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/ifconfig /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that ifconfig should be allowed read write access on the [eventpoll] file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ifconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:ifconfig_t:s0
Target Context                system_u:object_r:anon_inodefs_t:s0
Target Objects                [eventpoll] [ file ]
Source                        ifconfig
Source Path                   /sbin/ifconfig
Port                          <Unknown>
Host                          
Source RPM Packages           net-tools-1.60-114.el6.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.7.19-307.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     
Platform                      Linux 
                              2.6.32-642.6.2.el6.x86_64 #1 SMP Mon Oct 24
                              10:22:33 EDT 2016 x86_64 x86_64
Alert Count                   5672
First Seen                    Sun 23 Jul 2017 01:48:46 PM CDT
Last Seen                     Mon 24 Jul 2017 01:43:28 PM CDT
Local ID                      519bc934-b8bc-427f-9177-0bb8828ea8ed

Raw Audit Messages
type=AVC msg=audit(1500921808.611:24022): avc:  denied  { read write } for  pid=5158 comm="ifconfig" path="[eventpoll]"                                                                                         dev=anon_inodefs ino=4021 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=f                                                                                        ile


type=SYSCALL msg=audit(1500921808.611:24022): arch=x86_64 syscall=execve success=yes exit=0 a0=2331290 a1=232aa30 a2=232                                                                                        d340 a3=18 items=2 ppid=5156 pid=5158 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)                                                                                         ses=4294967295 comm=ifconfig exe=/sbin/ifconfig subj=system_u:system_r:ifconfig_t:s0 key=(null)

type=CWD msg=audit(1500921808.611:24022): cwd=/opt/commvault

type=PATH msg=audit(1500921808.611:24022): item=0 name=/sbin/ifconfig inode=130951 dev=fd:00 mode=0100755 ouid=0 ogid=0                                                                                         rdev=00:00 obj=system_u:object_r:ifconfig_exec_t:s0 nametype=NORMAL

type=PATH msg=audit(1500921808.611:24022): item=1 name=(null) inode=915716 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:                                                                                        00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL

Hash: ifconfig,ifconfig_t,anon_inodefs_t,file,read,write

audit2allow

#============= ifconfig_t ==============
allow ifconfig_t anon_inodefs_t:file { read write };

audit2allow -R

#============= ifconfig_t ==============
allow ifconfig_t anon_inodefs_t:file { read write };

Responses