Bug 189749
Summary: | no acces to /proc/sys/net/ipv4/route/flush from openswan | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Artur Lipowski <alipowski> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-03-28 20:02:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Artur Lipowski
2006-04-24 11:37:45 UTC
fixed in selinux-policy-2.2.38-1.FC5 Still no luck: type=AVC msg=audit(1147344521.251:767): avc: denied { read } for pid=2757 comm="ip" name="urandom" dev=tmpfs ino=1996 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1147344521.251:767): avc: denied { read write } for pid=2757 comm="ip" name="[4421]" dev=sockfs in o=4421 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1147344521.251:767): arch=40000003 syscall=11 success=yes exit=0 a0=9f6b550 a1=9f6b7e0 a2=9f76d18 a3=9f6b490 items=2 pid=2757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbi n/ip" type=AVC_PATH msg=audit(1147344521.251:767): path="socket:[4421]" type=AVC_PATH msg=audit(1147344521.251:767): path="/dev/urandom" type=CWD msg=audit(1147344521.251:767): cwd="/" type=PATH msg=audit(1147344521.251:767): item=0 name="/sbin/ip" flags=101 inode=2107169 dev=08:13 mode=0100755 ouid=0 o gid=0 rdev=00:00 type=PATH msg=audit(1147344521.251:767): item=1 flags=101 inode=875465 dev=08:13 mode=0100755 ouid=0 ogid=0 rdev=00:00 Could you setenforce 0 Run through a full connection. Grab all the AVC messages and submit them. Thanks. Dan Also do you know which daemon is running un the the initrc_t context that ip is trying to talk to with unix_stream_socket? Dan In enforcing mode: 103. 05/17/2006 02:51:19 PM /sbin/ip 11 yes /sbin/ip -1 4605 104. 05/17/2006 02:51:20 PM /sbin/ip 11 yes /sbin/ip -1 4606 105. 05/17/2006 02:51:20 PM /proc/sys/net/ipv4/route/flush 5 no /sbin/ip -1 4607 106. 05/17/2006 02:55:22 PM /sbin/ip 11 yes /sbin/ip -1 161 107. 05/17/2006 02:55:22 PM /sbin/ip 11 yes /sbin/ip -1 162 108. 05/17/2006 02:55:22 PM /sbin/ip 11 yes /sbin/ip -1 163 109. 05/17/2006 02:55:22 PM /proc/sys/net/ipv4/route/flush 5 no /sbin/ip -1 164 752. 05/17/2006 02:51:19 PM ip system_u:system_r:ifconfig_t:s0 11 unix_stream_socket read system_u:object_r:urandom_device_t:s0 denied 4605 753. 05/17/2006 02:51:20 PM ip system_u:system_r:ifconfig_t:s0 11 unix_stream_socket read system_u:object_r:urandom_device_t:s0 denied 4606 754. 05/17/2006 02:51:20 PM ip system_u:system_r:ifconfig_t:s0 5 file write system_u:object_r:sysctl_net_t:s0 denied 4607 755. 05/17/2006 02:51:21 PM ip system_u:system_r:ifconfig_t:s0 102 netlink_xfrm_socket create system_u:system_r:ifconfig_t:s0 denied 4608 In permissive mode: 137. 05/17/2006 03:31:24 PM /sbin/ip 11 yes /sbin/ip -1 361 138. 05/17/2006 03:31:24 PM /proc/sys/net/ipv4/route/flush 5 yes /sbin/ip -1 362 139. 05/17/2006 03:31:28 PM /sbin/ip 11 yes /sbin/ip 0 373 140. 05/17/2006 03:31:28 PM /proc/sys/net/ipv4/route/flush 5 yes /sbin/ip 0 374 928. 05/17/2006 03:31:24 PM ip system_u:system_r:ifconfig_t:s0 11 unix_stream_socket read system_u:object_r:urandom_device_t:s0 denied 361 929. 05/17/2006 03:31:24 PM ip system_u:system_r:ifconfig_t:s0 5 file write system_u:object_r:sysctl_net_t:s0 denied 362 930. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102 netlink_xfrm_socket create root:system_r:ifconfig_t:s0 denied 363 931. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102 netlink_xfrm_socket setopt root:system_r:ifconfig_t:s0 denied 364 932. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102 netlink_xfrm_socket bind root:system_r:ifconfig_t:s0 denied 365 933. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102 netlink_xfrm_socket getattr root:system_r:ifconfig_t:s0 denied 366 934. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102 netlink_xfrm_socket write root:system_r:ifconfig_t:s0 denied 367 935. 05/17/2006 03:31:25 PM ip root:system_r:ifconfig_t:s0 102 netlink_xfrm_socket read root:system_r:ifconfig_t:s0 denied 368 936. 05/17/2006 03:31:28 PM ip root:system_r:ifconfig_t:s0 11 unix_stream_socket read system_u:object_r:urandom_device_t:s0 denied 373 937. 05/17/2006 03:31:28 PM ip root:system_r:ifconfig_t:s0 5 file write system_u:object_r:sysctl_net_t:s0 denied 374 Apropos "talking" to unix_stream_socket. Here is a full list of "normal" processess on this server. PID TTY STAT TIME COMMAND 1 ? S 0:01 init [3] 2 ? S 0:00 [migration/0] 3 ? SN 0:00 [ksoftirqd/0] 4 ? S 0:00 [watchdog/0] 5 ? S 0:00 [migration/1] 6 ? SN 0:00 [ksoftirqd/1] 7 ? S 0:00 [watchdog/1] 8 ? S< 0:00 [events/0] 9 ? S< 0:00 [events/1] 10 ? S< 0:00 [khelper] 11 ? S< 0:00 [kthread] 14 ? S< 0:00 [kblockd/0] 15 ? S< 0:00 [kblockd/1] 16 ? S< 0:00 [kacpid] 143 ? S 0:00 [pdflush] 144 ? S 0:02 [pdflush] 145 ? S 0:00 [kswapd0] 146 ? S< 0:00 [aio/0] 147 ? S< 0:00 [aio/1] 225 ? S< 0:00 [kseriod] 264 ? S< 0:00 [ata/0] 265 ? S< 0:00 [ata/1] 267 ? S< 0:00 [scsi_eh_0] 268 ? S< 0:00 [scsi_eh_1] 282 ? S 0:00 [kirqd] 288 ? S 0:00 [kjournald] 354 ? S<s 0:00 /sbin/udevd -d 512 ? S< 0:00 [kpsmoused] 864 ? S 0:00 [kjournald] 866 ? S 0:18 [kjournald] 946 ? Ss 0:00 cpuspeed -d -n 947 ? S 0:00 cpuspeed -d -n 1315 ? S<sl 0:03 auditd 1317 ? S< 0:00 [kauditd] 1328 ? Ss 0:09 syslogd -m 0 1331 ? Ss 0:00 klogd -x 1340 ? Ss 0:03 irqbalance 1347 ? Ssl 0:00 dbus-daemon --system 1356 ? Ss 0:00 /usr/sbin/acpid 1585 ? Ss 0:02 /usr/sbin/sshd 1640 ? Ss 0:00 /usr/sbin/apcupsd -f /etc/apcupsd/apcupsd.conf 1648 ? Ss 0:00 crond 1710 ? Ss 0:00 /usr/sbin/atd 1718 ? Ss 0:02 hald 1719 ? S 0:00 hald-runner 1725 ? S 0:00 /usr/libexec/hald-addon-acpi 1729 ? S 0:00 /usr/libexec/hald-addon-keyboard 1738 ? S 0:08 /usr/libexec/hald-addon-storage 1745 tty2 Ss+ 0:00 /sbin/mingetty tty2 1746 tty3 Ss+ 0:00 /sbin/mingetty tty3 1747 tty4 Ss+ 0:00 /sbin/mingetty tty4 1748 tty5 Ss+ 0:00 /sbin/mingetty tty5 1749 tty6 Ss+ 0:00 /sbin/mingetty tty6 1838 tty1 Ss+ 0:00 /sbin/mingetty tty1 2132 ? Ss 0:00 squid -D 2134 ? S 0:58 (squid) -D 2136 ? Ss 0:01 (unlinkd) 2278 ? S 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes 2279 ? S 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes 2280 ? S 0:00 logger -s -p daemon.error -t ipsec__plutorun 2281 ? S 0:00 /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqu 2282 ? S 0:00 /bin/sh /usr/lib/ipsec/_plutoload --wait no --post 2286 ? SN 0:00 pluto helper # 0 2316 ? S 0:00 _pluto_adns 9149 ? Ss 0:02 sshd: root@pts/0 9153 pts/0 Ss 0:00 -bash 9538 pts/0 R+ 0:00 ps ax Can you do the ps list with a -Z, I want to see which processes are running as initrc_t. Also can you attach avc messages from /var/log/messages. Closing bugs |