Bug 1575369
Summary: | Conntrackd does not start up due to selinux policy | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Florian Bezdeka <florian> | ||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 28 | CC: | bperkins, dwalsh, i, lvrabec, mgrepl, orion, plautrba, pmoore, pwouters, twoerner | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.14.1-36.fc28 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-07-29 03:23:26 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 1432374 [details]
SELinux log with disabled dontaudit rules
There was another issue when trying to start conntrackd using a clustermanager like pakemaker. conntrackd was not allowed to connect to a unix socket. I have to update the currently used SELinux type enforcement: module f28_conntrackdfix 1.0; require { type kernel_t; type unconfined_service_t; type conntrackd_t; type init_t; class process { noatsecure siginh }; class capability net_admin; class unix_stream_socket connectto; class system module_request; } #============= conntrackd_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow conntrackd_t kernel_t:system module_request; #!!!! This avc has a dontaudit rule in the current policy allow conntrackd_t self:capability net_admin; #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow conntrackd_t self:unix_stream_socket connectto; #============= init_t ============== #!!!! This avc has a dontaudit rule in the current policy allow init_t conntrackd_t:process noatsecure; #!!!! This avc has a dontaudit rule in the current policy allow init_t unconfined_service_t:process siginh; Is conntrack-tools the right component for this bug report? Should I change it to selinux-policy? Hi, Could you reproduce it and attach raw AVC msgs? THanks, Lukas. Hi, what is the exact difference between the provided attachment and raw AVC messages? As mentioned above, I had to disable "dontaudit rules" to receive any SELinux messages in the audit log. Regards, Florian I saw the same thing. The workaround above worked for me as well. selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1432373 [details] Conntrackd configuration Description of problem: I updated one of my systems from Fedora 27 to 28. Conntrackd refuses to start afterwards. The following was taken from the conntrackd log: [Sat May 5 11:36:24 2018] (pid=2859) [ERROR] can't open channel socket [Sat May 5 11:36:24 2018] (pid=2859) [ERROR] initialization failed [Sun May 6 12:31:19 2018] (pid=6528) [ERROR] can't open channel socket [Sun May 6 12:31:19 2018] (pid=6528) [ERROR] initialization failed [Sun May 6 12:38:54 2018] (pid=6826) [ERROR] can't open channel socket [Sun May 6 12:38:54 2018] (pid=6826) [ERROR] initialization failed [Sun May 6 12:44:27 2018] (pid=6972) [ERROR] can't open channel socket [Sun May 6 12:44:27 2018] (pid=6972) [ERROR] initialization failed [Sun May 6 12:49:59 2018] (pid=7158) [ERROR] can't get kernel conntrack table After some debugging I found out that this problem is related to SELinux. After disabling SELinux ("setenforce 0") conntrackd was able to start. The SELinux (or audit) log did not report any error (due to "dontaudit" rules) After disabling dontaudit rules /var/log/audit/audit.log contained some errors. (See attachment) Version-Release number of selected component (if applicable): Connection tracking userspace daemon v1.4.4. Licensed under GPLv2. (C) 2006-2009 Pablo Neira Ayuso <pablo> How reproducible: I attached the used configuration (and removed some IP addresses, see <removed> tags). I think conntrackd will start up even if the complete environment including a second machine is not present. Steps to Reproduce: 1. Copy conntrackd configuration to /etc/conntrackd/conntrackd.conf 2. Try starting up conntrackd using "sudo service conntrackd start" Actual results: The start of conntrackd fails. Expected results: conntrackd starts up. Additional info: The following type enforcement fixes this issue. But I'm not sure if the permissions granted are too permissive. module f28_conntrackdfix 1.0; require { type init_t; type unconfined_service_t; type kernel_t; type conntrackd_t; class process { noatsecure siginh }; class capability net_admin; class system module_request; } #============= conntrackd_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow conntrackd_t kernel_t:system module_request; #!!!! This avc has a dontaudit rule in the current policy allow conntrackd_t self:capability net_admin; #============= init_t ============== #!!!! This avc has a dontaudit rule in the current policy allow init_t conntrackd_t:process noatsecure; #!!!! This avc has a dontaudit rule in the current policy allow init_t unconfined_service_t:process siginh;