Bug 219739

Summary:	SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) access to net (proc_net_t)
Product:	[Fedora] Fedora	Reporter:	Gerry Reno <greno>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Ben Levenson <benl>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6	CC:	djuran, dwalsh, luke, nmiell, piergiorgio.sartor
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	Current	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-08-22 14:12:09 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gerry Reno 2006-12-15 02:43:07 UTC

Description of problem:
setroubleshoot alerts:
SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) access to net (proc_net_t)

This just started happening.  I have no clue what caused it to start.  The only
thing I did today was install about 24 packages that it was requesting me to
install.


Version-Release number of selected component (if applicable):
I'm not even sure what component is the problem, selinux or irqbalance:
selinux-policy-2.4.6-7.fc6
irqbalance-0.55-2.fc6

How reproducible:
every login every user


Steps to Reproduce:
1. login
2.
3.
  
Actual results:


Expected results:
no avc violation

Additional info:

Comment 1 Piergiorgio Sartor 2006-12-15 19:23:34 UTC

I can confirm this one, it happens also to me, since last selinux update.
This an extract from /var/log/message, with grep irqbalance and audit.
Please note the embedded comments below.

Start of the PC after upgrading selinux stuff:

Dec 15 09:29:33 rain2 kernel: audit(1166171360.001:4): avc:  denied  { search }
for  pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:29:34 rain2 kernel: audit(1166171369.555:5): avc:  denied  { search }
for  pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:29:39 rain2 kernel: audit(1166171379.001:6): avc:  denied  { search }
for  pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
...

and so on, I have more, but I think this is enough.

Try to set /usr/sbin/irqbalance context to unconfined_t, as result of some research.
Stopped irqbalance and then chcon -t ...

Dec 15 09:43:21 rain2 kernel: audit(1166172201.454:19): avc:  denied  {
relabelto } for  pid=3128 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unconfined_t:s0 tclass=file
Dec 15 09:43:37 rain2 kernel: audit(1166172217.876:20): avc:  denied  {
relabelto } for  pid=3130 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unconfined_t:s0 tclass=file

Reboot, just to be sure...

Dec 15 09:53:06 rain2 kernel: audit(1166172775.532:3): avc:  denied  { search }
for  pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:4): avc:  denied  { read }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:5): avc:  denied  { getattr }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:6): avc:  denied  { create }
for  pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:7): avc:  denied  { ioctl }
for  pid=2001 comm="irqbalance" name="[8830]" dev=sockfs ino=8830
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:8): avc:  denied  { net_admin
} for  pid=2001 comm="irqbalance" capability=12
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability
Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:9): avc:  denied  { search }
for  pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:10): avc:  denied  { read }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:11): avc:  denied  { getattr
} for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:35 rain2 kernel: audit(1166172815.001:12): avc:  denied  { read }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:35 rain2 kernel: audit(1166172815.002:13): avc:  denied  { getattr
} for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Setting selinux to permissive mode and reboot.

Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:14): avc:  denied  { create }
for  pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:15): avc:  denied  { ioctl }
for  pid=2001 comm="irqbalance" name="[12025]" dev=sockfs ino=12025
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:16): avc:  denied  {
net_admin } for  pid=2001 comm="irqbalance" capability=12
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability
Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:17): avc:  denied  { create }
for  pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:18): avc:  denied  { ioctl }
for  pid=2001 comm="irqbalance" name="[12460]" dev=sockfs ino=12460
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket

As you can see, after trying the chcon the denial is not anymore only { search
}, but also something more.
So, apart from the original denial problem, do the denials after chcon (which
seems to have failed) show something is broken?

Thanks.

Comment 2 Daniel Walsh 2006-12-18 21:07:58 UTC

Fixed in selinux-policy-2.4.6-13

Comment 3 Daniel Walsh 2007-08-22 14:12:09 UTC

Fixed in current release