Bug 355521
Summary: | ping6 policy does not allow creating netlink socket | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ulrich Drepper <drepper> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | CC: | pekkas | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-01-30 19:18:29 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ulrich Drepper
2007-10-27 23:04:15 UTC
Created attachment 240761 [details]
AVC as reported in setroubleshhot browser
Fixed in selinux-policy-3.0.8-40.fc8 This fix doesn't appear to be complete or doesn't work, because with -44.fc8 I get the following (this is about "create" but I also get alerts for "bind", "write" and "read"): Summary SELinux is preventing /bin/ping6 (ping_t) "create" to <Unknown> (ping_t). Detailed Description SELinux denied access requested by /bin/ping6. It is not expected that this access is required by /bin/ping6 and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:ping_t Target Context system_u:system_r:ping_t Target Objects None [ netlink_route_socket ] Affected RPM Packages iputils-20070202-5.fc8 [application] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name home Platform Linux home 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 Alert Count 1 First Seen Sun 11 Nov 2007 05:28:42 PM EET Last Seen Sun 11 Nov 2007 05:28:42 PM EET Local ID b05e7345-144f-4a5c-b260-cb6883b57e5c Line Numbers Raw Audit Messages avc: denied { create } for comm=ping6 egid=500 euid=500 exe=/bin/ping6 exit=4 fsgid=500 fsuid=500 gid=500 items=0 pid=23618 scontext=system_u:system_r:ping_t:s0 sgid=500 subj=system_u:system_r:ping_t:s0 suid=500 tclass=netlink_route_socket tcontext=system_u:system_r:ping_t:s0 tty=pts2 uid=500 Could you try selinux-policy-3.0.8-47.fc8 or later. Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |