Bug 355521

Summary: ping6 policy does not allow creating netlink socket
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: pekkas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:18:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC as reported in setroubleshhot browser none

Description Ulrich Drepper 2007-10-27 23:04:15 UTC 
Description of problem:
The ping6 binary is not allowed to create a netlink socket for routing.  See the
attached report.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-33.fc8

How reproducible:
always

Steps to Reproduce:
1.use ping6 with hostname which has an IPv6 address
2.
3.
  
Actual results:
Attached AVC

Expected results:
No AVC.

Additional info:
Comment 1 Ulrich Drepper 2007-10-27 23:04:15 UTC 
Created attachment 240761 [details]
AVC as reported in setroubleshhot browser
Comment 2 Daniel Walsh 2007-10-30 02:40:10 UTC 
Fixed in selinux-policy-3.0.8-40.fc8
Comment 3 Pekka Savola 2007-11-15 07:45:54 UTC 
This fix doesn't appear to be complete or doesn't work, because with -44.fc8 I
get the following (this is about "create" but I also get alerts for "bind",
"write" and "read"):

Summary
    SELinux is preventing /bin/ping6 (ping_t) "create" to <Unknown> (ping_t).

Detailed Description
    SELinux denied access requested by /bin/ping6. It is not expected that this
    access is required by /bin/ping6 and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information

Source Context                system_u:system_r:ping_t
Target Context                system_u:system_r:ping_t
Target Objects                None [ netlink_route_socket ]
Affected RPM Packages         iputils-20070202-5.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     home
Platform                      Linux home 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
                              13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Sun 11 Nov 2007 05:28:42 PM EET
Last Seen                     Sun 11 Nov 2007 05:28:42 PM EET
Local ID                      b05e7345-144f-4a5c-b260-cb6883b57e5c
Line Numbers

Raw Audit Messages

avc: denied { create } for comm=ping6 egid=500 euid=500 exe=/bin/ping6 exit=4
fsgid=500 fsuid=500 gid=500 items=0 pid=23618
scontext=system_u:system_r:ping_t:s0 sgid=500 subj=system_u:system_r:ping_t:s0
suid=500 tclass=netlink_route_socket tcontext=system_u:system_r:ping_t:s0
tty=pts2 uid=500
Comment 4 Daniel Walsh 2007-11-15 15:18:17 UTC 
Could you try selinux-policy-3.0.8-47.fc8 or later.
Comment 5 Daniel Walsh 2008-01-30 19:18:29 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.