Bug 219739
Summary: | SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) access to net (proc_net_t) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gerry Reno <greno> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | djuran, dwalsh, luke, nmiell, piergiorgio.sartor |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-08-22 14:12:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gerry Reno
2006-12-15 02:43:07 UTC
I can confirm this one, it happens also to me, since last selinux update. This an extract from /var/log/message, with grep irqbalance and audit. Please note the embedded comments below. Start of the PC after upgrading selinux stuff: Dec 15 09:29:33 rain2 kernel: audit(1166171360.001:4): avc: denied { search } for pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:29:34 rain2 kernel: audit(1166171369.555:5): avc: denied { search } for pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:29:39 rain2 kernel: audit(1166171379.001:6): avc: denied { search } for pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir ... and so on, I have more, but I think this is enough. Try to set /usr/sbin/irqbalance context to unconfined_t, as result of some research. Stopped irqbalance and then chcon -t ... Dec 15 09:43:21 rain2 kernel: audit(1166172201.454:19): avc: denied { relabelto } for pid=3128 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unconfined_t:s0 tclass=file Dec 15 09:43:37 rain2 kernel: audit(1166172217.876:20): avc: denied { relabelto } for pid=3130 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unconfined_t:s0 tclass=file Reboot, just to be sure... Dec 15 09:53:06 rain2 kernel: audit(1166172775.532:3): avc: denied { search } for pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:4): avc: denied { read } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:5): avc: denied { getattr } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:6): avc: denied { create } for pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:7): avc: denied { ioctl } for pid=2001 comm="irqbalance" name="[8830]" dev=sockfs ino=8830 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:8): avc: denied { net_admin } for pid=2001 comm="irqbalance" capability=12 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:9): avc: denied { search } for pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:10): avc: denied { read } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:11): avc: denied { getattr } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:35 rain2 kernel: audit(1166172815.001:12): avc: denied { read } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Dec 15 09:53:35 rain2 kernel: audit(1166172815.002:13): avc: denied { getattr } for pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Setting selinux to permissive mode and reboot. Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:14): avc: denied { create } for pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:15): avc: denied { ioctl } for pid=2001 comm="irqbalance" name="[12025]" dev=sockfs ino=12025 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:16): avc: denied { net_admin } for pid=2001 comm="irqbalance" capability=12 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:17): avc: denied { create } for pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:18): avc: denied { ioctl } for pid=2001 comm="irqbalance" name="[12460]" dev=sockfs ino=12460 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket As you can see, after trying the chcon the denial is not anymore only { search }, but also something more. So, apart from the original denial problem, do the denials after chcon (which seems to have failed) show something is broken? Thanks. Fixed in selinux-policy-2.4.6-13 Fixed in current release |