Bug 1033076

Summary: SELinux prevents watchdog from reading /proc/net/dev file
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-106.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:12:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2013-11-21 14:10:47 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-103.el7.noarch
selinux-policy-devel-3.12.1-103.el7.noarch
selinux-policy-doc-3.12.1-103.el7.noarch
selinux-policy-minimum-3.12.1-103.el7.noarch
selinux-policy-mls-3.12.1-103.el7.noarch
selinux-policy-targeted-3.12.1-103.el7.noarch
watchdog-5.13-9.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.0 machine with targeted policy
2. add following line to /etc/watchdog.conf
interface		= eth0
3. restart watchdog service
4. search for AVCs

Actual results (enforcing mode):
----
time->Thu Nov 21 15:05:04 2013
type=PATH msg=audit(1385042704.934:915): item=0 name="/proc/net/dev" inode=4026531975 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1385042704.934:915):  cwd="/"
type=SYSCALL msg=audit(1385042704.934:915): arch=c000003e syscall=2 success=no exit=-13 a0=40ed87 a1=0 a2=1b6 a3=1 items=1 ppid=1 pid=8520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null)
type=AVC msg=audit(1385042704.934:915): avc:  denied  { read } for  pid=8520 comm="watchdog" name="dev" dev="proc" ino=4026531975 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-21 14:14:35 UTC 
Actual results (permissive mode):
----
type=PATH msg=audit(11/21/2013 15:13:04.217:965) : item=0 name=/proc/net/dev inode=4026531975 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_net_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/21/2013 15:13:04.217:965) :  cwd=/ 
type=SYSCALL msg=audit(11/21/2013 15:13:04.217:965) : arch=x86_64 syscall=open success=yes exit=1 a0=0x40ed87 a1=O_RDONLY a2=0x1b6 a3=0x1 items=1 ppid=1 pid=13933 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=watchdog exe=/usr/sbin/watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(11/21/2013 15:13:04.217:965) : avc:  denied  { open } for  pid=13933 comm=watchdog path=/proc/13933/net/dev dev="proc" ino=4026531975 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file 
type=AVC msg=audit(11/21/2013 15:13:04.217:965) : avc:  denied  { read } for  pid=13933 comm=watchdog name=dev dev="proc" ino=4026531975 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/21/2013 15:13:04.217:966) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7fffdf060a30 a2=0x7fffdf060a30 a3=0x0 items=0 ppid=1 pid=13933 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=watchdog exe=/usr/sbin/watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(11/21/2013 15:13:04.217:966) : avc:  denied  { getattr } for  pid=13933 comm=watchdog path=/proc/13933/net/dev dev="proc" ino=4026531975 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file 
----
Comment 2 Miroslav Grepl 2013-11-25 13:07:39 UTC 
commit 8b83b5aa94d03ef346371396d4112d0f43bc7a90
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 25 14:07:20 2013 +0100

    Allow watchdog to read network state info
Comment 4 Ludek Smid 2014-06-13 10:12:10 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.