Bug 1438937
| Summary: | SELinux prevents iptables_t from reading files in /etc/modprobe.d directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.4 | CC: | baumanmo, herrold, kvolny, lhh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, todoleza |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-174.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 12:29:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1470965, 1472751, 1477413, 1481207, 1486871, 1491963, 1494907, 1504647, 1544922, 1544923 | ||
Actual results (permissive mode):
----
type=SYSCALL msg=audit(04/04/2017 15:43:06.245:500) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x7ffc35dc1ef3 a2=O_RDONLY a3=0x0 items=0 ppid=24126 pid=24134 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(04/04/2017 15:43:06.245:500) : avc: denied { open } for pid=24134 comm=grep path=/etc/modprobe.d/i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(04/04/2017 15:43:06.245:500) : avc: denied { read } for pid=24134 comm=grep name=i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
----
type=SYSCALL msg=audit(04/04/2017 15:43:06.245:501) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffc35dc0110 a2=0x7ffc35dc0110 a3=0x0 items=0 ppid=24126 pid=24134 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(04/04/2017 15:43:06.245:501) : avc: denied { getattr } for pid=24134 comm=grep path=/etc/modprobe.d/i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
----
type=SYSCALL msg=audit(04/04/2017 15:43:06.245:502) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x3 a1=TCGETS a2=0x7ffc35dc0050 a3=0x0 items=0 ppid=24126 pid=24134 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(04/04/2017 15:43:06.245:502) : avc: denied { ioctl } for pid=24134 comm=grep path=/etc/modprobe.d/i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
----
*** This bug has been marked as a duplicate of bug 1436689 *** *** Bug 1465031 has been marked as a duplicate of this bug. *** A comment in Bug 1465031 (which is a duplicate to this one) mentioned the required policy change: > I am also seeing this - on each reboot I get 6 selinux denials logged in my > audit.log - one for each file in /etc/modprobe.d/*.conf. The code in > question comes from line 212 in /usr/libexec/iptables/iptables.init where it > is trying to determine if ipv6 has been disabled. > > Files in /etc/modprobe.d/*.conf look correctly labeled to me and restorecon > -RvF /etc/modprobe.d returns no output showing that it made no changes - > thus answering the question about trying the relabel. > > type=AVC msg=audit(1504094765.370:28): avc: denied { read } for pid=661 > comm="grep" name="blacklist-iscsi.conf" dev="dm-0" ino=782889 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:object_r:modules_conf_t:s0 tclass=file > > Problem only happens when iptables.service is started by systemd as part of > the boot. If you run systemctl restart iptables then nothing is logged. > Running the AVCs through audit2allow generates: > > require { > type iptables_t; > type modules_conf_t; > class file read; > } > > #============= iptables_t ============== > allow iptables_t modules_conf_t:file read; *** Bug 1496453 has been marked as a duplicate of this bug. *** Note that the effect here is opposite what one might think: the ip6tables rules are applied correctly, even if you trynot started - it is simply that you cannot disable them by aliasing something in /etc/modprobe.d. Thus, it's an annoyance, but, it ultimately doesn't cause functional issues in the case where a user is utilizing ip6tables to start the firewall - only the negative case: disabling ipv6 in /etc/modprobe.d/* will fail since grep cannot read the files. Whoa, typo: Note that the effect here is opposite what one might think: the ip6tables rules are applied correctly - it is simply that you cannot disable them by aliasing something in /etc/modprobe.d. *** Bug 1516052 has been marked as a duplicate of this bug. *** *** Bug 1544921 has been marked as a duplicate of this bug. *** *** Bug 1544923 has been marked as a duplicate of this bug. *** *** Bug 1544922 has been marked as a duplicate of this bug. *** *** Bug 1532656 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: SELinux denials appear when at least 1 file is present in /etc/modprobe.d directory, for example: # rpm -qf /etc/modprobe.d/* i2c-tools-3.1.0-10.el7.x86_64 nfs-utils-1.3.0-0.33.el7_3.x86_64 rdma-core-13-1.el7.x86_64 rdma-core-13-1.el7.x86_64 tuned-2.7.1-5.20170314git92d558b8.el7.noarch # Version-Release number of selected component (if applicable): iptables-1.4.21-17.el7.x86_64 iptables-services-1.4.21-17.el7.x86_64 selinux-policy-3.13.1-136.el7.noarch selinux-policy-targeted-3.13.1-136.el7.noarch How reproducible: * always Steps to Reproduce: 1. get a RHEL-7.4 machine (targeted policy is active) 2. run following automated TC: * /CoreOS/selinux-policy/bugzillas/245599 3. search for SELinux denials Actual results: ---- type=SYSCALL msg=audit(04/04/2017 15:31:57.623:381) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906ef3 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(04/04/2017 15:31:57.623:381) : avc: denied { read } for pid=17467 comm=grep name=i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/04/2017 15:31:57.623:382) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f10 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(04/04/2017 15:31:57.623:382) : avc: denied { read } for pid=17467 comm=grep name=lockd.conf dev="dm-1" ino=20099 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/04/2017 15:31:57.624:383) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f2b a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(04/04/2017 15:31:57.624:383) : avc: denied { read } for pid=17467 comm=grep name=mlx4.conf dev="dm-1" ino=4835 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/04/2017 15:31:57.624:384) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f45 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(04/04/2017 15:31:57.624:384) : avc: denied { read } for pid=17467 comm=grep name=truescale.conf dev="dm-1" ino=4836 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/04/2017 15:31:57.624:385) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f64 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(04/04/2017 15:31:57.624:385) : avc: denied { read } for pid=17467 comm=grep name=tuned.conf dev="dm-1" ino=27039 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file ---- Expected results: * no SELinux denials