Bug 440326

Summary: SELinux is preventing /usr/bin/nmap (traceroute_t)
Product: [Fedora] Fedora Reporter: Suman Chakrabarty <chakrabarty.suman>
Component: selinux-policyAssignee: Josef Kubin <jkubin>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8CC: tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-11 12:30:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Suman Chakrabarty 2008-04-02 20:09:15 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.8) Gecko/20071030 Fedora/2.0.0.8-2.fc8 Firefox/2.0.0.8

Description of problem:
When I try to nmap any host, I am getting the following error:

==============================================================================
Starting Nmap 4.20 ( http://insecure.org ) at 2008-04-03 01:36 IST
Socket creation in sendconnecttcpquery
QUITTING!
==============================================================================

The SELinux error pops up with the following alert:

Summary
    SELinux is preventing /usr/bin/nmap (traceroute_t) "create" to <Unknown>
    (traceroute_t).

Detailed Description
    SELinux denied access requested by /usr/bin/nmap. It is not expected that
    this access is required by /usr/bin/nmap and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                unconfined_u:system_r:traceroute_t:s0
Target Context                unconfined_u:system_r:traceroute_t:s0
Target Objects                None [ tcp_socket ]
Affected RPM Packages         nmap-4.20-6.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     matrix.cluster.in
Platform                      Linux matrix.cluster.in 2.6.23.1-42.fc8 #1 SMP Tue
                              Oct 30 13:18:33 EDT 2007 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 03 Apr 2008 12:58:00 AM IST
Last Seen                     Thu 03 Apr 2008 01:36:23 AM IST
Local ID                      69f0e091-2b4d-499d-b1a9-e30233201178
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm=nmap egid=500 euid=500 exe=/usr/bin/nmap
exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=20433
scontext=unconfined_u:system_r:traceroute_t:s0 sgid=500
subj=unconfined_u:system_r:traceroute_t:s0 suid=500 tclass=tcp_socket
tcontext=unconfined_u:system_r:traceroute_t:s0 tty=pts6 uid=500

Version-Release number of selected component (if applicable):
nmap-4.20-6.fc8

How reproducible:
Always


Steps to Reproduce:
1. nmap <IP> or <HOSTNAME>

Actual Results:
Starting Nmap 4.20 ( http://insecure.org ) at 2008-04-03 01:36 IST
Socket creation in sendconnecttcpquery
QUITTING!

Expected Results:


Additional info:
Comment 1 Tomas Smetana 2008-04-04 10:48:22 UTC 
I'm getting different AVC messages:

avc: denied { search } for comm=nmap dev=sda2 egid=0 euid=0 exe=/usr/bin/nmap
exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=13741
scontext=unconfined_u:system_r:traceroute_t:s0 sgid=0
subj=unconfined_u:system_r:traceroute_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:user_home_dir_t:s0 tty=pts1 uid=0

avc: denied { search } for comm=nmap dev=sda2 egid=0 euid=0 exe=/usr/bin/nmap
exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name=selinux pid=13839
scontext=unconfined_u:system_r:traceroute_t:s0 sgid=0
subj=unconfined_u:system_r:traceroute_t:s0 suid=0 tclass=dir
tcontext=unconfined_u:object_r:user_home_t:s0 tty=pts1 uid=0

avc: denied { search } for comm=nmap dev=sda2 name=libexec pid=13839
scontext=unconfined_u:system_r:traceroute_t:s0 tclass=dir
tcontext=system_u:object_r:bin_t:s0

I've prepared a selinux module and will check it with our selinux gurus for an
approvement...  However I could not reproduce your exact AVC on my system (with
the same selinux-policy version).
Comment 2 Tomas Smetana 2008-04-04 10:51:19 UTC 
Please update to the latest selinux policy and try to collect all the AVC
messages in permissive mode (setenforce 0) and attach them here.  Thanks.
Comment 3 Josef Kubin 2008-04-04 12:56:41 UTC 
Try to test my latest packages fixing your problem with tcp_socket:

http://people.redhat.com/jkubin/selinux/F8/

Thank you for your feedback!
Comment 4 Suman Chakrabarty 2008-04-04 17:56:28 UTC 
(In reply to comment #2)
> Please update to the latest selinux policy and try to collect all the AVC
> messages in permissive mode (setenforce 0) and attach them here.  Thanks.


It seems the problem has been solved in the latest version of selinux policy. I
had a complete update of my system and I do not see this message even with
selinux in enforcing mode (setenforce 1). Thanks for your effort.