Bug 1759214
Summary: | ptp4l not allowed to use L2 transport | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Miroslav Lichvar <mlichvar> | |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 8.0 | CC: | fedora, ffotorel, hakhande, haliu, jpichon, kfida, lvrabec, mlichvar, mmalik, mthacker, pcahyna, plautrba, ssekidde, zpytela | |
Target Milestone: | rc | Keywords: | Triaged, ZStream | |
Target Release: | 8.3 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1759212 | |||
: | 1884267 (view as bug list) | Environment: | ||
Last Closed: | 2020-11-04 01:55:53 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1884267 |
Description
Miroslav Lichvar
2019-10-07 15:48:21 UTC
Caught in enforcing mode: ---- type=PROCTITLE msg=audit(10/08/2019 05:16:48.121:304) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S type=SYSCALL msg=audit(10/08/2019 05:16:48.121:304) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=packet a1=SOCK_RAW a2=unknown-proto(300) a3=0xc items=0 ppid=1 pid=31324 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) type=AVC msg=audit(10/08/2019 05:16:48.121:304) : avc: denied { create } for pid=31324 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=0 ---- Caught in permissive mode: ---- type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:331) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S type=SYSCALL msg=audit(10/08/2019 05:21:36.009:331) : arch=x86_64 syscall=socket success=yes exit=12 a0=packet a1=SOCK_RAW a2=unknown-proto(300) a3=0xc items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) type=AVC msg=audit(10/08/2019 05:21:36.009:331) : avc: denied { create } for pid=3772 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 ---- type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:332) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S type=SYSCALL msg=audit(10/08/2019 05:21:36.009:332) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0xc a1=SIOCGIFINDEX a2=0x7ffec8cbba70 a3=0xc items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) type=AVC msg=audit(10/08/2019 05:21:36.009:332) : avc: denied { ioctl } for pid=3772 comm=ptp4l path=socket:[57448] dev="sockfs" ino=57448 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 ---- type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:333) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S type=SOCKADDR msg=audit(10/08/2019 05:21:36.009:333) : saddr={ saddr_fam=packet (unsupported) } type=SYSCALL msg=audit(10/08/2019 05:21:36.009:333) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xc a1=0x7ffec8cbbad0 a2=0x14 a3=0xc items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) type=AVC msg=audit(10/08/2019 05:21:36.009:333) : avc: denied { bind } for pid=3772 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 ---- type=PROCTITLE msg=audit(10/08/2019 05:21:36.009:334) : proctitle=/usr/sbin/ptp4l -f /etc/ptp4l.conf -i eth0 --network_transport L2 -S type=SYSCALL msg=audit(10/08/2019 05:21:36.009:334) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0xc a1=SOL_SOCKET a2=SO_BINDTODEVICE a3=0x55e5a3d6dbb5 items=0 ppid=1 pid=3772 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ptp4l exe=/usr/sbin/ptp4l subj=system_u:system_r:ptp4l_t:s0 key=(null) type=AVC msg=audit(10/08/2019 05:21:36.009:334) : avc: denied { setopt } for pid=3772 comm=ptp4l scontext=system_u:system_r:ptp4l_t:s0 tcontext=system_u:system_r:ptp4l_t:s0 tclass=packet_socket permissive=1 ---- I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/200 I've submitted a Fedora PR to allow the sys_admin capability: https://github.com/fedora-selinux/selinux-policy-contrib/pull/254 commit 15b3cef9562733612187b871a1e9bb4dc515dabd (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Jun 1 13:47:25 2020 +0200 Allow ptp4l_t sys_admin capability to run bpf programs In ptp4l, setsockopt() with SO_ATTACH_FILTER raises sk_attach_filter() running a bpf program, for which the SYS_ADMIN capability is required. I would like to request that this bug be released via 8.2.0.4 because it is required for PTP feature to be delivered by NFV team in RHOSP 16.1.3, due for release in December. RHOSP 16.1.x uses RHEL 8.2. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4528 |