Bug 1574383
Summary: | map AVCs for dhclient after selinux-policy update | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Pelka <tpelka> | ||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 7.6 | CC: | jstodola, lvrabec, mgrepl, mmalik, plautrba, ssekidde, tizhao | ||||||
Target Milestone: | pre-dev-freeze | Keywords: | TestBlocker | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.13.1-197.el7 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1574389 1574392 1574394 (view as bug list) | Environment: | |||||||
Last Closed: | 2018-10-30 10:03:50 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1568427, 1574389, 1574392, 1574394 | ||||||||
Attachments: |
|
Description
Tomas Pelka
2018-05-03 07:42:42 UTC
Created attachment 1430552 [details]
map AVCs
Seems this is no happening only for dhclient, here is the full list of map related AVC's
It seems that still not work. I tried with selinux-policy 204.el7, and it did not config the interface with ipv4 address. seems the problem is related to " /usr/sbin/dhclient-script: line 734: 11610 Killed ip link set dev ${interface} up /usr/sbin/dhclient-script: line 734: 11630 Killed arping -D -q -c2 -I ${interface} ${new_ip_address} /usr/sbin/dhclient-script: line 335: 11642 Killed ip link set dev ${interface} up /usr/sbin/dhclient-script: line 335: 11643 Killed ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1 " [root@hp-dl385g7-02 ~]# uname -r 3.10.0-915.el7.x86_64 [root@hp-dl385g7-02 ~]# rpm -qi selinux-policy Name : selinux-policy Version : 3.13.1 Release : 204.el7 Architecture: noarch Install Date: Tue 03 Jul 2018 03:12:25 AM EDT Group : System Environment/Base Size : 6478 License : GPLv2+ Signature : RSA/SHA256, Thu 14 Jun 2018 02:58:39 PM EDT, Key ID 199e2f91fd431d51 Source RPM : selinux-policy-3.13.1-204.el7.src.rpm Build Date : Thu 14 Jun 2018 12:52:43 PM EDT Build Host : arm64-011.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 [root@hp-dl385g7-02 ~]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:b3:cc:e1:ba:ba brd ff:ff:ff:ff:ff:ff inet 10.73.130.61/23 brd 10.73.131.255 scope global noprefixroute dynamic enp4s0f0 valid_lft 42606sec preferred_lft 42606sec inet6 2620:52:0:4982:a2b3:ccff:fee1:baba/64 scope global noprefixroute dynamic valid_lft 2591999sec preferred_lft 604799sec inet6 fe80::a2b3:ccff:fee1:baba/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: enp4s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether a0:b3:cc:e1:ba:bc brd ff:ff:ff:ff:ff:ff 4: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:b3:cc:e1:ba:be brd ff:ff:ff:ff:ff:ff 5: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:b3:cc:e1:ba:c0 brd ff:ff:ff:ff:ff:ff 6: ens1f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 00:10:18:ab:b3:90 brd ff:ff:ff:ff:ff:ff 7: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:15:17:19:62:a5 brd ff:ff:ff:ff:ff:ff 8: ens1f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 00:10:18:ab:b3:91 brd ff:ff:ff:ff:ff:ff 9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff 10: ens1f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:93 brd ff:ff:ff:ff:ff:ff [root@hp-dl385g7-02 ~]# ethtool -i ens1f2 driver: tg3 version: 3.137 firmware-version: 5719-v1.20 expansion-rom-version: bus-info: 0000:06:00.2 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: no [root@hp-dl385g7-02 ~]# dhclient -v ens1f2 Internet Systems Consortium DHCP Client 4.2.5 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /usr/sbin/dhclient-script: line 734: 11610 Killed ip link set dev ${interface} up Listening on LPF/ens1f2/00:10:18:ab:b3:92 Sending on LPF/ens1f2/00:10:18:ab:b3:92 Sending on Socket/fallback DHCPDISCOVER on ens1f2 to 255.255.255.255 port 67 interval 4 (xid=0x51a03a41) DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x51a03a41) DHCPOFFER from 192.168.1.253 DHCPACK from 192.168.1.253 (xid=0x51a03a41) /usr/sbin/dhclient-script: line 734: 11630 Killed arping -D -q -c2 -I ${interface} ${new_ip_address} /usr/sbin/dhclient-script: line 335: 11642 Killed ip link set dev ${interface} up /usr/sbin/dhclient-script: line 335: 11643 Killed ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1 bound to 192.168.1.150 -- renewal in 33403 seconds. [root@hp-dl385g7-02 ~]# ip addr show ens1f2 9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff [root@hp-dl385g7-02 ~]# getenforce Enforcing [root@hp-dl385g7-02 ~]# setenforce 0 [root@hp-dl385g7-02 ~]# pkill dhclient [root@hp-dl385g7-02 ~]# dhclient -v ens1f2 Internet Systems Consortium DHCP Client 4.2.5 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/ens1f2/00:10:18:ab:b3:92 Sending on LPF/ens1f2/00:10:18:ab:b3:92 Sending on Socket/fallback DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x56fbf202) DHCPACK from 192.168.1.253 (xid=0x56fbf202) bound to 192.168.1.150 -- renewal in 42810 seconds. [root@hp-dl385g7-02 ~]# ip addr show ens1f2 9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff inet 192.168.1.150/24 brd 192.168.1.255 scope global dynamic ens1f2 valid_lft 86394sec preferred_lft 86394sec [root@hp-dl385g7-02 ~]# ping 192.168.1.254 PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. 64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=4.75 ms 64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.685 ms 64 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=0.967 ms 64 bytes from 192.168.1.254: icmp_seq=5 ttl=255 time=0.829 ms --- 192.168.1.254 ping statistics --- 5 packets transmitted, 4 received, 20% packet loss, time 4003ms rtt min/avg/max/mdev = 0.685/1.808/4.751/1.702 ms reference job link: https://beaker.engineering.redhat.com/jobs/2588236 Please collect SELinux denials on your machine and attach them here: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Created attachment 1457626 [details]
selinux output of dhclient (includes all the steps)
Thank you, Tianhao. Following policy rules are needed: allow dhcpc_t hostname_exec_t:file map; allow dhcpc_t ifconfig_exec_t:file map; allow dhcpc_t netutils_exec_t:file map; Switching to ASSIGNED because the bug fix is not complete. # sesearch -A -s dhcpc_t -t hostname_exec_t -c file -p map Found 1 semantic av rules: allow dhcpc_t hostname_exec_t : file { read getattr map execute open } ; # sesearch -A -s dhcpc_t -t ifconfig_exec_t -c file -p map Found 1 semantic av rules: allow dhcpc_t ifconfig_exec_t : file { read getattr map execute open } ; # sesearch -A -s dhcpc_t -t netutils_exec_t -c file -p map Found 1 semantic av rules: allow dhcpc_t netutils_exec_t : file { read getattr map execute open } ; # rpm -q selinux-policy selinux-policy-3.13.1-207.el7.noarch Looks fixed on my system. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |