Bug 485854

Summary: SELinux is preventing ifconfig (ifconfig_t) "read write" to socket (initrc_t)
Product: Red Hat Enterprise Linux 5 Reporter: Donald Lambert <donald.lambert>
Component: net-toolsAssignee: Zdenek Prikryl <zprikryl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: high Docs Contact:
Priority: low    
Version: 5.3   
Target Milestone: rc   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-19 09:04:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Donald Lambert 2009-02-17 02:51:27 UTC 
Description of problem:
We are attempting to use snmp to track our mail queues, since the latest update
SE Linux has prevented this giving the error below.

[root@]# sealert -l 4ffeda18-6826-4644-8a33-d06308dc858d

Summary:

SELinux is preventing ifconfig (ifconfig_t) "read write" to socket (initrc_t).

Detailed Description:

SELinux denied access requested by ifconfig. It is not expected that this access
is required by ifconfig and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:ifconfig_t
Target Context                system_u:system_r:initrc_t
Target Objects                socket [ tcp_socket ]
Source                        ifconfig
Source Path                   /sbin/ifconfig
Port                          <Unknown>
Host                          machine_name
Source RPM Packages           net-tools-1.60-78.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     machine_name
Platform                      Linux machine_name 2.6.18-128.el5PAE #1
                              SMP Wed Dec 17 12:02:33 EST 2008 i686 i686
Alert Count                   2141
First Seen                    Thu Feb 12 05:48:20 2009
Last Seen                     Mon Feb 16 22:24:16 2009
Local ID                      4ffeda18-6826-4644-8a33-d06308dc858d
Line Numbers                  

Raw Audit Messages            

host=kil-sm-1.UCIS.Dal.Ca type=AVC msg=audit(1234837456.319:51665): avc:  denied  { read write } for  pid=12961 comm="ifconfig" path="socket:[14424084]" dev=sockfs ino=14424084 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=tcp_socket

host=kil-sm-1.UCIS.Dal.Ca type=SYSCALL msg=audit(1234837456.319:51665): arch=40000003 syscall=11 success=yes exit=0 a0=807bf90 a1=8147f10 a2=8071b58 a3=805e008 items=0 ppid=12959 pid=12961 auid=4294967295 uid=9242 gid=9242 euid=9242 suid=9242 fsuid=9242 egid=9242 sgid=9242 fsgid=9242 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null)
Comment 1 Donald Lambert 2009-02-17 02:53:39 UTC 
The reason for the high severity it that we are in a desperate issues with our entire mail system incoming/outgoing and imap.  

These monitoring routines are crucial for the on going analysis.

Thanks,

-- Donnie
Comment 2 Zdenek Prikryl 2009-02-17 11:49:18 UTC 
It seems that this isn't a bug in net-tools but in a program, which executes ifconfig. it looks like that the program causes leaked file descriptor. Can you describe how you use ifconfig? Also look at this bug #428553. It is similar to this bug. Anyway, if you can. then try to use iproute instead of net-tools, it's better these days.