Bug 2028379
| Summary: | lldpd with option to use tcp is not allowed to create a tcp socket | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Welterlen Benoit <bwelterl> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.4 | CC: | lvrabec, mmalik, ssekidde | |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged | |
| Target Release: | 8.6 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-85.el8 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2028561 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 15:15:45 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/960 submitted this module to the customer:
---
policy_module(local_lldpad_tcp, 1.0)
gen_require(`
type lldpad_t;
')
allow lldpad_t self:tcp_socket { create_socket_perms accept listen };
---
Note access to agentx_port_t will be required to add, too. It's mentioned in the daemon man page. # rpm -qa selinux\* lldpd\* | sort
lldpd-1.0.1-2.el8.x86_64
selinux-policy-3.14.3-83.el8.noarch
selinux-policy-targeted-3.14.3-83.el8.noarch
#
Following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(12/02/2021 08:23:32.888:328) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
type=SYSCALL msg=audit(12/02/2021 08:23:32.888:328) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=5499 pid=5501 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(12/02/2021 08:23:32.888:328) : avc: denied { create } for pid=5501 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=0
----
Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(12/02/2021 08:24:45.363:336) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
type=SYSCALL msg=audit(12/02/2021 08:24:45.363:336) : arch=x86_64 syscall=socket success=yes exit=16 a0=inet a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=5543 pid=5545 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(12/02/2021 08:24:45.363:336) : avc: denied { create } for pid=5545 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1
----
type=PROCTITLE msg=audit(12/02/2021 08:24:45.363:337) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
type=SOCKADDR msg=audit(12/02/2021 08:24:45.363:337) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=705 }
type=SYSCALL msg=audit(12/02/2021 08:24:45.363:337) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0x10 a1=0x7fff4b141570 a2=0x10 a3=0x0 items=0 ppid=5543 pid=5545 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(12/02/2021 08:24:45.363:337) : avc: denied { name_connect } for pid=5545 comm=lldpd dest=705 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(12/02/2021 08:24:45.363:337) : avc: denied { connect } for pid=5545 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1
----
If the snmpd service is running and is configured in the following way:
# tail -n 3 /etc/snmp/snmpd.conf
master agentx
agentXSocket tcp:localhost:705
#
then the restart of lldpd service triggers an additional SELinux denial:
----
type=PROCTITLE msg=audit(12/02/2021 10:12:04.979:464) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
type=SYSCALL msg=audit(12/02/2021 10:12:04.979:464) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x10 a1=SOL_SOCKET a2=SO_SNDBUF a3=0x7ffd61d3d590 items=0 ppid=7386 pid=7388 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(12/02/2021 10:12:04.979:464) : avc: denied { getopt } for pid=7388 comm=lldpd laddr=127.0.0.1 lport=58606 faddr=127.0.0.1 fport=705 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1
----
(In reply to Zdenek Pytela from comment #3) > It's mentioned in the daemon man page. I should have been more clear here. lldpd(8) explicitly mentions tcp socket usage on port 705: -X socket Enable SNMP subagent using the specified socket. lldpd will enable an SNMP sub- agent using AgentX protocol for the given socket. This option implies the previous one. The default socket is usually /var/agentx/master. You can specify a socket like tcp:127.0.0.1:705 for example. Since the process that will open this socket is enclosed in a chroot, you need to specify an IP address (not a hostname) when using a TCP or UDP socket. so it makes sense allow both permission groups. All the AVC denials found should be addressed by the existing commit. To backport:
commit c0b38cf988df48613209e48007eefd748480d52f (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date: Thu Dec 2 10:55:46 2021 +0100
Allow lldpd use an snmp subagent over a tcp socket
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |
Description of problem: When using these options in /etc/sysconfig/lldpd, lldpd tries to create a tcp socket instead of udp: --- LLDPD_OPTIONS="-i -k -X tcp:127.0.0.1:705" --- - The AVC is: --- type=1400 msg=audit(1636718760.332:12259730): pid=2754 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=0 --- - lldpd is allowed for udp socket: --- sesearch -A -s lldpad_t -t lldpad_t | grep sock allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True allow lldpad_t lldpad_t:netlink_route_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write }; allow lldpad_t lldpad_t:packet_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; allow lldpad_t lldpad_t:udp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; allow lldpad_t lldpad_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; allow lldpad_t lldpad_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write }; --- Version-Release number of selected component (if applicable): RHEL 8.4 How reproducible: always Steps to Reproduce: 1. configure lldpd with LLDPD_OPTIONS="-i -k -X tcp:127.0.0.1:705" 2. 3. Actual results: AVC and lldpd not allowed to create tcp socket Expected results: No AVC and lldpd allowed to run Additional info: