Bug 469423
| Summary: | ip addrlabel show doesn't work | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Maciej Żenczykowski <zenczykowski> |
| Component: | kernel | Assignee: | James Morris <jmorris> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | dwalsh, eparis, kernel-maint, mfabry, mmalik, mmaslano, mschmidt, quintela, rvokal |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-12-03 01:27:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Maciej Żenczykowski
2008-10-31 18:56:31 UTC
# ip addrlabel help Usage: ip addrlabel [ list | add | del | flush ] prefix PREFIX [ dev DEV ] [ label LABEL ] addrlabel doesn't use show, but if I try # ip addrlabel list Cannot send dump request: Invalid argument or # ip addrlabel list dev eth0 "ip addrlabel show" does not take any arguments. There will be some bug in parsing commands. I'll check it. It seems to me whole addrlabel doesn't work. This reproducer fails for me in second step with "Cannot talk to rtnetlink: Invalid argument"
Destination: 2001::3
Candidate Source Addresses: 2001::1(deprecated) and 2001::2
1. Setup source address as specified above.
Eg:
#ip -6 addr add 2001::2 dev eth0
#ip -6 addr add 2001::1 dev eth0 valid_lft 50000 preferred_lft 0
2. Add these 3 ip's to the User Configuration Table with different label value.
Eg:
#ip addrlabel add prefix 2001::1 label 3
#ip addrlabel add prefix 2001::2 label 4
#ip addrlabel add prefix 2001::3 label 3
3. Add route to the destination address
#ip -6 route add 2001::3 dev eth0
4. ping6 to the destination will pick up the ip address which is not deprecated. As "avoid deprecated" rule (#rule 3) is satisfied the "label rule"
(#rule 6) is not used.
#ping6 2001::3
Result : Src Address : 2001::2
Ok, the selinux blocks those commands. Everything works as expected ;-) type=SELINUX_ERR msg=audit(1225812551.758:877): SELinux: unrecognized netlink message type=74 for sclass=43 type=SYSCALL msg=audit(1225812551.758:877): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fff98a52010 a2=14 a3=0 items=0 ppid=13000 pid=13980 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) So, how do I use ip addrlabel? What needs to get fixed? The kernel? The policies? The utility? All of them? The problem is only in selinux-policy. Here is attached whole audit log. type=SELINUX_ERR msg=audit(1225698822.073:42): SELinux: unrecognized netlink message type=74 for sclass=43 type=SYSCALL msg=audit(1225698822.073:42): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fff0ddcb380 a2=14 a3=0 items=0 ppid=8622 pid=10954 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1225698833.299:43): SELinux: unrecognized netlink message type=74 for sclass=43 type=SYSCALL msg=audit(1225698833.299:43): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fff6615a720 a2=14 a3=0 items=0 ppid=8622 pid=10970 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1225698889.556:44): SELinux: unrecognized netlink message type=74 for sclass=43 type=SYSCALL msg=audit(1225698889.556:44): arch=c000003e syscall=44 success=yes exit=0 a0=3 a1=7fff155e3ba0 a2=14 a3=0 items=0 ppid=8622 pid=11504 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 k ey=(null) Reproduced on i386 and x86_64 machines (installed by RHTS) with RHEL5.3-Client-20081105.nightly. type=SELINUX_ERR msg=audit(1225879810.745:18): SELinux: unrecognized netlink message type=74 for sclass=43 type=SYSCALL msg=audit(1225879810.745:18): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fff79190750 a2=14 a3=0 items=0 ppid=4084 pid=4112 auid=0 ui d=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) I think that it's related to selinux-policy or audit package. Looks like kernel issue to me. Specifically security/selinux/nlmsgtab.c:nlmsg_route_perms[] table is missing records for RTM_*ADDRLABEL netlink message types. I posted a kernel patch upstream: http://lkml.org/lkml/2008/11/5/85 *** Bug 470037 has been marked as a duplicate of this bug. *** Applied and compiled kernel with patch from http://lkml.org/lkml/2008/11/5/85 and the problem is resolved. Could we get this into the official fc9 and/or stable 2.6.27 kernels? # uname -a Linux zeus.lan 2.6.27.5-37mz2.fc9.x86_64 #1 SMP Fri Nov 14 15:31:28 PST 2008 x86_64 x86_64 x86_64 GNU/Linux (from koji with above patch) # ip addrlabel show prefix ::1/128 label 0 prefix ::/96 label 3 prefix ::ffff:0.0.0.0/96 label 4 prefix 2001::/32 label 6 prefix 2001:10::/28 label 7 prefix 2002::/16 label 2 prefix fc00::/7 label 5 prefix ::/0 label 1 # ip addrlabel add prefix ::/120 dev eth0 label 9 # ip addrlabel show prefix ::1/128 label 0 prefix ::/120 dev if4 label 9 prefix ::/96 label 3 prefix ::ffff:0.0.0.0/96 label 4 prefix 2001::/32 label 6 prefix 2001:10::/28 label 7 prefix 2002::/16 label 2 prefix fc00::/7 label 5 prefix ::/0 label 1 # ip addrlabel del prefix ::/120 dev eth0 label 9 # ip addrlabel show prefix ::1/128 label 0 prefix ::/96 label 3 prefix ::ffff:0.0.0.0/96 label 4 prefix 2001::/32 label 6 prefix 2001:10::/28 label 7 prefix 2002::/16 label 2 prefix fc00::/7 label 5 prefix ::/0 label 1 Nothing weird in dmesg (and eth0 is indeed interface #4, 1,2,3 being lo,wmaster0,wlan0). Unverified whether the entire source address selection works, but that would be a separate bug anyway... James, is that patch sufficient, or will we need others too? Yes, this should be enough. kernel-2.6.27.7-53.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/kernel-2.6.27.7-53.fc9 kernel-2.6.27.7-53.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. kernel-2.6.27.7-53.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |