Bug 1033059

Summary: SELinux prevents watchdog from pinging computers
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: aledvink, mgrepl, rjones
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-106.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:28:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2013-11-21 13:50:13 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
iputils-20121221-4.el7.x86_64
iputils-ninfod-20121221-4.el7.x86_64
selinux-policy-3.12.1-103.el7.noarch
selinux-policy-devel-3.12.1-103.el7.noarch
selinux-policy-doc-3.12.1-103.el7.noarch
selinux-policy-minimum-3.12.1-103.el7.noarch
selinux-policy-mls-3.12.1-103.el7.noarch
selinux-policy-targeted-3.12.1-103.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.0 machine with targeted policy
2. add following line to the default /etc/watchdog.conf file
ping                    = 127.0.0.1
3. restart watchdog service
4. search for AVCs

Actual results (enforcing mode):
----
time->Thu Nov 21 14:44:44 2013
type=SYSCALL msg=audit(1385041484.560:777): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff5daff830 items=0 ppid=1 pid=29083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null)
type=AVC msg=audit(1385041484.560:777): avc:  denied  { create } for  pid=29083 comm="watchdog" scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket
----

Expected results:
 * watchdog is able to ping other machines
 * no AVCs
Comment 1 Miroslav Grepl 2013-11-21 13:57:29 UTC 
Milos,
is there a helper script for this?
Comment 2 Richard W.M. Jones 2013-11-21 13:59:14 UTC 
Maintainer for watchdog in RHEL 7 is now Ales Ledvinka (aledvink).
Comment 3 Richard W.M. Jones 2013-11-21 14:00:58 UTC 
... but it's my understanding from a brief look at the source
that the daemon itself is opening the raw socket.
Comment 4 Milos Malik 2013-11-21 14:04:01 UTC 
Actual results (permissive mode):
----
time->Thu Nov 21 15:02:45 2013
type=SYSCALL msg=audit(1385042565.347:882): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=3 a2=1 a3=7fff34c38ab0 items=0 ppid=1 pid=3133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null)
type=AVC msg=audit(1385042565.347:882): avc:  denied  { net_raw } for  pid=3133 comm="watchdog" capability=13  scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=capability
type=AVC msg=audit(1385042565.347:882): avc:  denied  { create } for  pid=3133 comm="watchdog" scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket
----
time->Thu Nov 21 15:02:45 2013
type=SYSCALL msg=audit(1385042565.354:883): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=6 a3=7fff34c38e58 items=0 ppid=1 pid=3133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null)
type=AVC msg=audit(1385042565.354:883): avc:  denied  { setopt } for  pid=3133 comm="watchdog" lport=1 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket
----
time->Thu Nov 21 15:02:54 2013
type=SYSCALL msg=audit(1385042574.413:886): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=3 a2=1 a3=7fff4f8c1f00 items=0 ppid=1 pid=3665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null)
type=AVC msg=audit(1385042574.413:886): avc:  denied  { create } for  pid=3665 comm="watchdog" scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket
----
Comment 5 Miroslav Grepl 2013-11-25 13:09:52 UTC 
(In reply to Richard W.M. Jones from comment #3)
> ... but it's my understanding from a brief look at the source
> that the daemon itself is opening the raw socket.

Yes, you are right. I also see it. Thank you.

commit 2c818a4154c7f89c230b5dfcf354213fbeea92c7
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 25 14:09:03 2013 +0100

    Watchdog opens the raw socket
Comment 7 Ludek Smid 2014-06-13 11:28:38 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.