Bug 509527
| Summary: | SELinux is preventing ifconfig (ifconfig_t) "read" security_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gaetan Cambier <gaetan> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 11 | CC: | dwalsh, jkubin, jpopelka, kpiwko, mgrepl, rvokal, zprikryl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-16 08:36:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Experiencing exactly the same behaviour on my installation of Fedora 11 x64. Summary: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. Detailed Description: SELinux denied access requested by ifconfig. It is not expected that this access is required by ifconfig and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:security_t:s0 Target Objects mls [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host kapy Source RPM Packages net-tools-1.60-92.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-53.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name kapy Platform Linux kapy 2.6.29.5-191.fc11.x86_64 #1 SMP Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64 Alert Count 3 First Seen Fri 10 Jul 2009 09:07:34 AM CEST Last Seen Fri 10 Jul 2009 09:07:42 AM CEST Local ID 05d01cb7-7d3d-458f-aad7-ed74c3e4884d Line Numbers Raw Audit Messages node=kapy type=AVC msg=audit(1247209662.817:36653): avc: denied { read } for pid=11203 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=kapy type=SYSCALL msg=audit(1247209662.817:36653): arch=c000003e syscall=2 success=no exit=1090658264 a0=7fff9117e4b0 a1=0 a2=7fff9117e4bc a3=fffffff8 items=0 ppid=11202 pid=11203 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) Reassigning to selinux-policy. Can you also specify the exact ifconfig command you have reproduced this avc denial with? Please update your selinux-policy and selinux-policy-targeted packages. |
Description of problem: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. Version-Release number of selected component (if applicable): - net-tools-1.60-92.fc11 - selinux-policy-3.6.12-53.fc11 How reproducible: - Restart network services Additional info: Résumé: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. Description détaillée: [Opération qui aurait du être refusée mais qui a été autorisée par le mode permissif de SELinux.] SELinux denied access requested by ifconfig. It is not expected that this access is required by ifconfig and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Autoriser l'accès: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Informations complémentaires: Contexte source unconfined_u:system_r:ifconfig_t:s0 Contexte cible system_u:object_r:security_t:s0 Objets du contexte mls [ file ] source ifconfig Chemin de la source /sbin/ifconfig Port <Inconnu> Hôte Gaetan.Cambier-Dereze Paquetages RPM source net-tools-1.60-92.fc11 Paquetages RPM cible Politique RPM selinux-policy-3.6.12-53.fc11 Selinux activé True Type de politique targeted MLS activé True Mode strict Permissive Nom du plugin catchall Nom de l'hôte Gaetan.Cambier-Dereze Plateforme Linux Gaetan.Cambier-Dereze 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Compteur d'alertes 5 Première alerte ven 03 jui 2009 11:05:40 CEST Dernière alerte ven 03 jui 2009 12:05:04 CEST ID local cefffe2e-a26a-4716-a98f-c713848903f3 Numéros des lignes Messages d'audit bruts node=Gaetan.Cambier-Dereze type=AVC msg=audit(1246615504.724:2081): avc: denied { read } for pid=12860 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=Gaetan.Cambier-Dereze type=AVC msg=audit(1246615504.724:2081): avc: denied { open } for pid=12860 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=Gaetan.Cambier-Dereze type=SYSCALL msg=audit(1246615504.724:2081): arch=40000003 syscall=5 success=yes exit=3 a0=bfc82ce8 a1=8000 a2=0 a3=bfc82ce8 items=0 ppid=12859 pid=12860 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)