Bug 1026076

Summary: SELinux prevents arpwatch from creating a netlink_socket
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: bperkins, dwalsh, lvrabec, menthos
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-236.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:57:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2013-11-03 12:46:26 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
arpwatch-2.1a15-14.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-doc-3.7.19-231.el6.noarch
selinux-policy-minimum-3.7.19-231.el6.noarch
selinux-policy-mls-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.5 machine where targeted policy is active
2. service arpwatch start
3. search for AVCs

Actual results (enforcing mode):
----
type=SYSCALL msg=audit(11/03/2013 13:39:32.264:577) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=10 a1=3 a2=c a3=3f1b38fed0 items=0 ppid=7237 pid=7238 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=9 comm=arpwatch exe=/usr/sbin/arpwatch subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:39:32.264:577) : avc:  denied  { create } for  pid=7238 comm=arpwatch scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=unconfined_u:system_r:arpwatch_t:s0 tclass=netlink_socket 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-03 12:48:13 UTC 
Actual results (permissive mode);
----
type=SYSCALL msg=audit(11/03/2013 13:47:03.700:610) : arch=x86_64 syscall=socket success=yes exit=3 a0=10 a1=3 a2=c a3=3f1b38fed0 items=0 ppid=7384 pid=7385 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=9 comm=arpwatch exe=/usr/sbin/arpwatch subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:47:03.700:610) : avc:  denied  { create } for  pid=7385 comm=arpwatch scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=unconfined_u:system_r:arpwatch_t:s0 tclass=netlink_socket 
----
Comment 2 Miroslav Grepl 2013-11-05 15:19:04 UTC 
We allow it in Fedora

#============= arpwatch_t ==============

#!!!! This avc is allowed in the current policy
allow arpwatch_t self:netlink_socket create;
Comment 5 errata-xmlrpc 2014-10-14 07:57:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html