Bug 1834325

Summary: the ladvd service triggers SELinux denials
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: ladvdAssignee: Tomasz Torcz <tomek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: andreas, tomek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ladvd-1.1.2-7.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-26 00:45:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2020-05-11 14:08:41 UTC 
Following rules are missing in the ladvd policy module:

allow init_t ladvd_t:process2 nnp_transition;
allow init_t self:packet_socket map;

Version-Release number of selected component (if applicable):
ladvd-1.1.2-6.fc32.x86_64
ladvd-selinux-1.1.2-6.fc32.x86_64
selinux-policy-3.14.5-38.fc32.noarch
selinux-policy-devel-3.14.5-38.fc32.noarch
selinux-policy-doc-3.14.5-38.fc32.noarch
selinux-policy-targeted-3.14.5-38.fc32.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 or 32 machine (targeted policy is active)
2. start the ladvd service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(05/11/2020 15:54:36.394:1870) : proctitle=/usr/sbin/ladvd -f -t -a -z 
type=PATH msg=audit(05/11/2020 15:54:36.394:1870) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8389818 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/11/2020 15:54:36.394:1870) : item=0 name=/usr/sbin/ladvd inode=8487505 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ladvd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/11/2020 15:54:36.394:1870) : cwd=/ 
type=EXECVE msg=audit(05/11/2020 15:54:36.394:1870) : argc=5 a0=/usr/sbin/ladvd a1=-f a2=-t a3=-a a4=-z 
type=SYSCALL msg=audit(05/11/2020 15:54:36.394:1870) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x564369296c60 a1=0x564369548ba0 a2=0x564369314250 a3=0x56436963a920 items=2 ppid=1 pid=41362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(05/11/2020 15:54:36.394:1870) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:ladvd_t:s0 
type=AVC msg=audit(05/11/2020 15:54:36.394:1870) : avc:  denied  { nnp_transition } for  pid=41362 comm=(ladvd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(05/11/2020 15:54:36.450:1871) : proctitle=/usr/sbin/ladvd -f -t -a -z 
type=MMAP msg=audit(05/11/2020 15:54:36.450:1871) : fd=11 flags=MAP_SHARED 
type=SYSCALL msg=audit(05/11/2020 15:54:36.450:1871) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x28f000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=41362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/11/2020 15:54:36.450:1871) : avc:  denied  { map } for  pid=41362 comm=ladvd path=socket:[637766] dev="sockfs" ino=637766 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=packet_socket permissive=0 
----

Expected results:
 * the ladvd service does not trigger any SELinux when started in default configuration

Additional information from the journal:
ladvd[41362]: opening raw socket failed
ladvd[41362]: pcap_activate for ens3 failed
Comment 1 Milos Malik 2020-05-11 14:57:51 UTC 
I performed a basic testing (start, restart, stop) of ladvd service and the 2 rules mentioned in comment#0 do not fix the issue. But following 3 rules do:

allow init_t ladvd_t:process2 nnp_transition;
allow ladvd_t ladvd_t:packet_socket map;
allow ladvd_t ladvd_t:capability kill;

If above-mentioned rules are present, the ladvd service runs successfully in enforcing mode:

# service ladvd status
Redirecting to /bin/systemctl status ladvd.service
● ladvd.service - LLDP/CDP sender
     Loaded: loaded (/usr/lib/systemd/system/ladvd.service; disabled; vendor pr>
     Active: active (running) since Mon 2020-05-11 16:51:28 CEST; 3s ago
       Docs: man:ladvd(8)
             man:ladvdc(8)
   Main PID: 45077 (ladvd)
      Tasks: 2 (limit: 2330)
     Memory: 1.9M
        CPU: 37ms
     CGroup: /system.slice/ladvd.service
             ├─45077 ladvd: parent [priv]
             └─45088 ladvd: child

May 11 16:51:28 localhost.localdomain systemd[1]: Started LLDP/CDP sender.
May 11 16:51:28 localhost.localdomain ladvd[45088]: ladvd 1.1.2 running
# ps -efZ | grep ladvd
system_u:system_r:ladvd_t:s0    root       45077       1  0 16:51 ?        00:00:00 ladvd: parent [priv]
system_u:system_r:ladvd_t:s0    ladvd      45088   45077  0 16:51 ?        00:00:00 ladvd: child
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 45119 2018  0 16:51 pts/0 00:00:00 grep --color=auto ladvd
#
Comment 2 Tomasz Torcz 2020-05-11 16:30:34 UTC 
Thanks for bugreport! I will add these to policy after some investigation what exactly they mean.
Comment 3 Fedora Update System 2020-06-16 12:29:13 UTC 
FEDORA-2020-6010469bfb has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6010469bfb
Comment 4 Fedora Update System 2020-06-18 14:13:13 UTC 
FEDORA-2020-6010469bfb has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6010469bfb`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6010469bfb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-06-26 00:45:16 UTC 
FEDORA-2020-6010469bfb has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.