Bug 461059

Summary: SELinux is preventing hostname (hostname_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t). and SELinux is preventing ifconfig (ifconfig_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: dhcpAssignee: Dave Cantrell <dcantrell>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dcantrell, dwalsh, mcepl, wwoods, zprikryl
Target Milestone: ---Keywords: Patch, SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-26 02:59:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log
none
dhcp-4.0.0-FD_CLOEXEC.patch none

Description Matěj Cepl 2008-09-03 21:28:58 UTC 
Created attachment 315696 [details]
/var/log/audit/audit.log

I have two SELinux alerts (happened once), I have checked restorecon on the given file, but there was no change.


Souhrn:

SELinux is preventing hostname (hostname_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by hostname. It is not expected that this access
is required by hostname and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/lib/dhclient/dhclient-eth0.leases,

restorecon -v '/var/lib/dhclient/dhclient-eth0.leases'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                unconfined_u:system_r:hostname_t
Kontext cíle                 system_u:object_r:dhcpc_state_t
Objekty cíle                 /var/lib/dhclient/dhclient-eth0.leases [ file ]
Zdroj                         hostname
Cesta zdroje                  /bin/hostname
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          net-tools-1.60-87.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-84.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
                              4 14:08:11 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               St 3. září 2008, 11:17:13 CEST
Naposledy viděno             St 3. září 2008, 11:17:13 CEST
Místní ID                   cacd28f1-978f-410e-b0b6-6d3f816a3260
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1220433433.72:29): avc:  denied  { read } for  pid=3139 comm="hostname" path="/var/lib/dhclient/dhclient-eth0.leases" dev=dm-0 ino=1275568 scontext=unconfined_u:system_r:hostname_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1220433433.72:29): arch=40000003 syscall=11 success=yes exit=0 a0=87a47d0 a1=87a5650 a2=877de28 a3=0 items=0 ppid=3101 pid=3139 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="hostname" exe="/bin/hostname" subj=unconfined_u:system_r:hostname_t:s0 key=(null)
==========================================================================

Souhrn:

SELinux is preventing ifconfig (ifconfig_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by ifconfig. It is not expected that this access
is required by ifconfig and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/lib/dhclient/dhclient-eth0.leases,

restorecon -v '/var/lib/dhclient/dhclient-eth0.leases'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                unconfined_u:system_r:ifconfig_t
Kontext cíle                 system_u:object_r:dhcpc_state_t
Objekty cíle                 /var/lib/dhclient/dhclient-eth0.leases [ file ]
Zdroj                         ifconfig
Cesta zdroje                  /sbin/ifconfig
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          net-tools-1.60-87.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-84.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
                              4 14:08:11 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               St 3. září 2008, 11:17:11 CEST
Naposledy viděno             St 3. září 2008, 11:17:11 CEST
Místní ID                   2aff34fa-3f01-4097-8d1b-2e4437e47bd4
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1220433431.18:28): avc:  denied  { read } for  pid=3100 comm="ifconfig" path="/var/lib/dhclient/dhclient-eth0.leases" dev=dm-0 ino=1275568 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1220433431.18:28): arch=40000003 syscall=11 success=yes exit=0 a0=9147520 a1=91473c0 a2=912d5e8 a3=0 items=0 ppid=3073 pid=3100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-09-03 22:00:34 UTC 
This is a leaked file descriptor to /var/lib/dhclient/dhclient-eth0.leases 

Please close open file descriptors before execing apps.

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 2 Zdenek Prikryl 2008-09-09 07:51:25 UTC 
Since /var/lib/dhclient/dhclient-eth0.leases is created by dhclient, it seems that the bug isn't in hostname nor in ifconfig, but it is in dhclient. So, I'm reassigning this to dhcp package.
Comment 3 Dave Cantrell 2008-09-17 00:34:15 UTC 
Created attachment 316916 [details]
dhcp-4.0.0-FD_CLOEXEC.patch
Comment 4 Dave Cantrell 2008-09-17 00:36:16 UTC 
This bug keeps getting filed in rawhide and I don't know what I'm doing wrong in dhclient.  I've set every dhclient-INTERFACE.leases file descriptor to include FD_CLOEXEC, so I don't know what I'm missing.

I do F_GETFD, |= FD_CLOEXEC to it, then F_SETFD.  Is this correct for selinux?
Comment 5 Daniel Walsh 2008-09-18 20:37:45 UTC 
You need to do this before the fork I believe,  Why not do it as soon as the file is opened?
Comment 6 Dave Cantrell 2008-09-18 20:44:56 UTC 
(In reply to comment #5)
> You need to do this before the fork I believe,  Why not do it as soon as the
> file is opened?

That's what I'm doing.  Setting FD_CLOEXEC right when the files are opened.
Comment 7 Daniel Walsh 2008-09-18 20:48:45 UTC 
Then it should work.  You could check by listing ls -l /proc/self/fd in the script to see what is open.
Comment 8 Dave Cantrell 2008-09-26 02:59:08 UTC 
This should be working with the latest dhclient package in rawhide.