Bug 1054828
| Summary: | SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the 'net_admin' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Fidel Leon <fidelleon> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, vpavlin |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:173bb38dbec6ef27d1eb4f3785581bbc56aebbe3f7bd79725312c34237dea02a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-21 15:30:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
CAP_NET_ADMIN
Perform various network-related operations:
* interface configuration;
* administration of IP firewall, masquerading, and accounting;
* modify routing tables;
* bind to any address for transparent proxying;
* set type-of-service (TOS)
* clear driver statistics;
* set promiscuous mode;
* enabling multicasting;
* use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRI‐
ORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUF‐
FORCE.
I think this is a kernel issue. or a glibc issue, I think we are checking net_admin where we do not need to. *** This bug has been marked as a duplicate of bug 1054337 *** The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from using the 'net_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-tty-ask-password-agent should have the net_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_passwd_agent_t:s0 Target Context system_u:system_r:systemd_passwd_agent_t:s0 Target Objects [ capability ] Source systemd-tty-ask Source Path /usr/bin/systemd-tty-ask-password-agent Port <Unknown> Host (removed) Source RPM Packages systemd-208-11.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-117.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.12.7-300.fc20.i686+PAE #1 SMP Fri Jan 10 16:10:11 UTC 2014 i686 i686 Alert Count 1 First Seen 2014-01-17 15:30:57 CET Last Seen 2014-01-17 15:30:57 CET Local ID c2485e83-b638-4c0f-988b-3dba6bad63b5 Raw Audit Messages type=AVC msg=audit(1389969057.537:25): avc: denied { net_admin } for pid=836 comm="systemd-tty-ask" capability=12 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability type=SYSCALL msg=audit(1389969057.537:25): arch=i386 syscall=socketcall success=no exit=EPERM a0=e a1=bfaaf530 a2=b77cae18 a3=3 items=0 ppid=1 pid=836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-tty-ask exe=/usr/bin/systemd-tty-ask-password-agent subj=system_u:system_r:systemd_passwd_agent_t:s0 key=(null) Hash: systemd-tty-ask,systemd_passwd_agent_t,systemd_passwd_agent_t,capability,net_admin Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.7-300.fc20.i686+PAE type: libreport