Bug 214921

Summary: Activating network card via Network Configuration triggers SELinux denial.
Product: [Fedora] Fedora Reporter: Casper Gasper <casper.gasper>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.33.2-2.fc6. Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-27 18:43:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Casper Gasper 2006-11-09 23:17:48 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.0.8) Gecko/20061107 Fedora/1.5.0.8-1.fc6 Firefox/1.5.0.8

Description of problem:
Activating a de-activeated network device by clicking on "Activate" in system-config-network tool triggers and SELinux denial.

From Setroubleshoot:
Summary: 
SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" to pipe:[14416](unconfined_t).

Additional Information:
Source Context system_u:system_r:ifconfig_t
Target Context system_u:system:r:unconfined_t
Target Objects pipe:[14416][fifo_file]
Affected RPM Packages net-tools-1.60-73 [application]
Policy RPM selinux-policy-2.4.3-2.fc6
Selinux Enabled True
Policy type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name pinky.caspergasper.com
Platform Linux pinky.caspergasper.com 2.6.18-1.2835.fc6 #1 SMP Thu Nov 2 01:41:42 EST 2006 i686 i686

Here are the messages from audit.log:

type=AVC msg=audit(1163111169.659:41): avc:  denied  { read } for  pid=3403 comm
="ifconfig" name="[12837]" dev=pipefs ino=12837 scontext=system_u:system_r:ifcon
fig_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file
type=AVC msg=audit(1163111169.659:41): avc:  denied  { write } for  pid=3403 com
m="ifconfig" name="[12837]" dev=pipefs ino=12837 scontext=system_u:system_r:ifco
nfig_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file



Version-Release number of selected component (if applicable):
net-tools-1.60-73

How reproducible:
Always


Steps to Reproduce:
1. Set SELinuc in enforcing mode.
2. Open network configuration tool.
3. De-activate and then re-activate network interface.

Actual Results:
SELinux denied a read and a write to a fifo pipe. 

Expected Results:
No denial.

Additional info:

Comment 1 Radek Vokál 2006-11-10 07:54:43 UTC
Reassigning to selinux guys. Also reproducible on RHEL5

Comment 2 Daniel Walsh 2006-11-10 13:14:29 UTC
What program did you use to login?  Could you check the context of the program, ie
ps -eZ | grep gdm  (Or whatever the login app was?)

Comment 3 Casper Gasper 2006-11-10 22:21:22 UTC
(In reply to comment #2)
> What program did you use to login?  Could you check the context of the program, ie
> ps -eZ | grep gdm  (Or whatever the login app was?)

system_u:system_r:xdm_t:SystemLow-SystemHigh 2385 ? 00:00:00 gdm-binary
system_u:system_r:xdm_t:SystemLow-SystemHigh 2453 ? 00:00:00 gdm-binary
system_u:system_r:xdm_t:SystemLow-SystemHigh 2457 ? 00:00:00 gdm-binary

I get this same error with both my laptop and desktop machines.  




Comment 4 Casper Gasper 2006-11-25 00:24:45 UTC
Appears to be fixed now with policycoreutils.i386 1.33.2-2.fc6.