Bug 1574383

Summary: map AVCs for dhclient after selinux-policy update
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Pelka <tpelka>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: jstodola, lvrabec, mgrepl, mmalik, plautrba, ssekidde, tizhao
Target Milestone: pre-dev-freezeKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-197.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1574389 1574392 1574394 (view as bug list) Environment:
Last Closed: 2018-10-30 10:03:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1568427, 1574389, 1574392, 1574394    
Attachments:
Description Flags
map AVCs
none
selinux output of dhclient (includes all the steps) none

Description Tomas Pelka 2018-05-03 07:42:42 UTC
Description of problem:
Seems that new map permissions added in -193 denies dhclient nd end up with system without ipv4 address eventually.

Version-Release number of selected component (if applicable):
kernel-3.10.0-878.el7
selinux-policy-targeted-3.13.1-193.el7
selinux-policy-3.13.1-193.el7

How reproducible:
100%

Steps to Reproduce:
1. 
2.
3.

Actual results:
May 03 08:12:25 placka kernel: type=1400 audit(1525327945.065:628): avc:  denied  { map } for  pid=6163 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0

May 03 08:14:25 placka kernel: type=1400 audit(1525328065.811:651): avc:  denied  { map } for  pid=6676 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0


Expected results:


Additional info:
Wokaround:
either setenforce 0
or downgrading to selinux-policy-targeted-3.13.1-192.el7_5.3.noarch selinux-policy-3.13.1-192.el7_5.3

Comment 1 Tomas Pelka 2018-05-03 07:53:28 UTC
Created attachment 1430552 [details]
map AVCs

Seems this is no happening only for dhclient, here is the full list of map related AVC's

Comment 4 Tianhao 2018-07-03 07:46:40 UTC
It seems that still not work. I tried with selinux-policy 204.el7, and it did not config the interface with ipv4 address.
seems the problem is related to 
"
/usr/sbin/dhclient-script: line 734: 11610 Killed                  ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 734: 11630 Killed                  arping -D -q -c2 -I ${interface} ${new_ip_address}
/usr/sbin/dhclient-script: line 335: 11642 Killed                  ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 335: 11643 Killed                  ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
"

[root@hp-dl385g7-02 ~]# uname -r
3.10.0-915.el7.x86_64
[root@hp-dl385g7-02 ~]# rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.13.1
Release     : 204.el7
Architecture: noarch
Install Date: Tue 03 Jul 2018 03:12:25 AM EDT
Group       : System Environment/Base
Size        : 6478
License     : GPLv2+
Signature   : RSA/SHA256, Thu 14 Jun 2018 02:58:39 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : selinux-policy-3.13.1-204.el7.src.rpm
Build Date  : Thu 14 Jun 2018 12:52:43 PM EDT
Build Host  : arm64-011.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117
[root@hp-dl385g7-02 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:e1:ba:ba brd ff:ff:ff:ff:ff:ff
    inet 10.73.130.61/23 brd 10.73.131.255 scope global noprefixroute dynamic enp4s0f0
       valid_lft 42606sec preferred_lft 42606sec
    inet6 2620:52:0:4982:a2b3:ccff:fee1:baba/64 scope global noprefixroute dynamic 
       valid_lft 2591999sec preferred_lft 604799sec
    inet6 fe80::a2b3:ccff:fee1:baba/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp4s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:b3:cc:e1:ba:bc brd ff:ff:ff:ff:ff:ff
4: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:e1:ba:be brd ff:ff:ff:ff:ff:ff
5: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:e1:ba:c0 brd ff:ff:ff:ff:ff:ff
6: ens1f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:10:18:ab:b3:90 brd ff:ff:ff:ff:ff:ff
7: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:15:17:19:62:a5 brd ff:ff:ff:ff:ff:ff
8: ens1f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:10:18:ab:b3:91 brd ff:ff:ff:ff:ff:ff
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
10: ens1f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:93 brd ff:ff:ff:ff:ff:ff
[root@hp-dl385g7-02 ~]# ethtool -i ens1f2
driver: tg3
version: 3.137
firmware-version: 5719-v1.20
expansion-rom-version: 
bus-info: 0000:06:00.2
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
[root@hp-dl385g7-02 ~]# dhclient -v ens1f2
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

/usr/sbin/dhclient-script: line 734: 11610 Killed                  ip link set dev ${interface} up
Listening on LPF/ens1f2/00:10:18:ab:b3:92
Sending on   LPF/ens1f2/00:10:18:ab:b3:92
Sending on   Socket/fallback
DHCPDISCOVER on ens1f2 to 255.255.255.255 port 67 interval 4 (xid=0x51a03a41)
DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x51a03a41)
DHCPOFFER from 192.168.1.253
DHCPACK from 192.168.1.253 (xid=0x51a03a41)
/usr/sbin/dhclient-script: line 734: 11630 Killed                  arping -D -q -c2 -I ${interface} ${new_ip_address}
/usr/sbin/dhclient-script: line 335: 11642 Killed                  ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 335: 11643 Killed                  ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
bound to 192.168.1.150 -- renewal in 33403 seconds.
[root@hp-dl385g7-02 ~]# ip addr show ens1f2
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
[root@hp-dl385g7-02 ~]# getenforce 
Enforcing
[root@hp-dl385g7-02 ~]# setenforce 0
[root@hp-dl385g7-02 ~]# pkill dhclient 
[root@hp-dl385g7-02 ~]# dhclient -v ens1f2
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/ens1f2/00:10:18:ab:b3:92
Sending on   LPF/ens1f2/00:10:18:ab:b3:92
Sending on   Socket/fallback
DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x56fbf202)
DHCPACK from 192.168.1.253 (xid=0x56fbf202)
bound to 192.168.1.150 -- renewal in 42810 seconds.
[root@hp-dl385g7-02 ~]# ip addr show ens1f2
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.150/24 brd 192.168.1.255 scope global dynamic ens1f2
       valid_lft 86394sec preferred_lft 86394sec
[root@hp-dl385g7-02 ~]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=4.75 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.685 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=0.967 ms
64 bytes from 192.168.1.254: icmp_seq=5 ttl=255 time=0.829 ms
--- 192.168.1.254 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.685/1.808/4.751/1.702 ms

reference job link:
https://beaker.engineering.redhat.com/jobs/2588236

Comment 5 Milos Malik 2018-07-09 10:19:57 UTC
Please collect SELinux denials on your machine and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Comment 6 Tianhao 2018-07-10 01:35:14 UTC
Created attachment 1457626 [details]
selinux output of dhclient (includes all the steps)

Comment 7 Milos Malik 2018-07-10 06:53:05 UTC
Thank you, Tianhao.

Following policy rules are needed:

allow dhcpc_t hostname_exec_t:file map;
allow dhcpc_t ifconfig_exec_t:file map;
allow dhcpc_t netutils_exec_t:file map;

Switching to ASSIGNED because the bug fix is not complete.

Comment 8 Lukas Vrabec 2018-07-17 15:51:49 UTC
# sesearch -A -s dhcpc_t -t hostname_exec_t -c file -p map
Found 1 semantic av rules:
   allow dhcpc_t hostname_exec_t : file { read getattr map execute open } ; 

# sesearch -A -s dhcpc_t -t ifconfig_exec_t -c file -p map
Found 1 semantic av rules:
   allow dhcpc_t ifconfig_exec_t : file { read getattr map execute open } ; 

# sesearch -A -s dhcpc_t -t netutils_exec_t -c file -p map
Found 1 semantic av rules:
   allow dhcpc_t netutils_exec_t : file { read getattr map execute open } ; 

# rpm -q selinux-policy
selinux-policy-3.13.1-207.el7.noarch


Looks fixed on my system.

Comment 11 errata-xmlrpc 2018-10-30 10:03:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111