Bug 508627

Summary: SELinux is preventing ifconfig (ifconfig_t) "read" security_t
Product: [Fedora] Fedora Reporter: Egon Kastelijn <redhat2>
Component: net-toolsAssignee: Radek Vokál <rvokal>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: jpopelka, rvokal, zprikryl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-01 12:28:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Egon Kastelijn 2009-06-29 08:11:56 UTC 
Description of problem:

SELinux is preventing ifconfig (ifconfig_t) "read" security_t.

Additional Information:

Source Context                system_u:system_r:ifconfig_t:s0
Target Context                system_u:object_r:security_t:s0
Target Objects                mls [ file ]                   
Source                        ifconfig                       
Source Path                   /sbin/ifconfig                 
Port                          <Unknown>                      
Host                          srv0002                        
Source RPM Packages           net-tools-1.60-92.fc11         
Target RPM Packages                                          
Policy RPM                    selinux-policy-3.6.12-50.fc11  
Selinux Enabled               True                           
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     srv0002
Platform                      Linux srv0002 2.6.29.4-167.fc11.x86_64 #1 SMP Wed
                              May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   2159
First Seen                    Thu Jun 25 17:19:46 2009
Last Seen                     Mon Jun 29 07:39:10 2009
Local ID                      1204a68b-ac7b-492c-baad-f35454e7f11d
Line Numbers

Raw Audit Messages

node=srv0002 type=AVC msg=audit(1246253950.771:1401): avc:  denied  { read } for  pid=25729 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

node=srv0002 type=SYSCALL msg=audit(1246253950.771:1401): arch=c000003e syscall=2 success=no exit=558333912 a0=7fffbf59a060 a1=0 a2=7fffbf59a06c a3=fffffff8 items=0 ppid=1690 pid=25729 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null)

Version-Release number of selected component (if applicable):
net-tools-1.60-92.fc11.x86_64
libselinux-2.0.80-1.fc11.x86_64
selinux-policy-3.6.12-50.fc11.noarch

How reproducible:
Multiple of these SE-Linux messages are produced in my /var/log/messages every 30 minutes.

Steps to Reproduce:
1. tail -f /var/log/messages
  
Actual results:
...

Expected results:


Additional info:
There is a Puppet-client running on the specified host.
I think that Puppet is doing something with ifconfig that triggers this problem.
Comment 1 Egon Kastelijn 2009-06-29 08:13:24 UTC 
There are two other open bugs with the same title:
https://bugzilla.redhat.com/show_bug.cgi?id=508121 
https://bugzilla.redhat.com/show_bug.cgi?id=507103

They both talk about 'vpnc'.
On my system vpnc is not installed.
Comment 2 Jiri Popelka 2009-07-01 12:28:12 UTC 
Fixed in selinux-policy-3.6.12-57.fc11

*** This bug has been marked as a duplicate of bug 508099 ***