Bug 555351

Summary: SELinux is preventing ifup-eth (hotplug_t) "getattr" brctl_exec_t
Product: [Fedora] Fedora Reporter: kc8hfi
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 11CC: carlg, dwalsh, mgrepl
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.6.12-94.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-05 01:16:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux module none

Description kc8hfi 2010-01-14 14:42:00 UTC 
Created attachment 383682 [details]
selinux module

Description of problem:
Trying to use netplugd with bridged networking causes selinux messages and netplugd doesn't function like its supposed to.  

Version-Release number of selected component (if applicable):
bridge-utils-1.2-7.fc11
selinux-policy-3.6.12-92.fc11

How reproducible:
always

Steps to Reproduce:
1.start the netplugd service, service netplugd start
  
Actual results:
The netplugd service

Expected results:
the netplugd service starting up with bridged networking and no selinux denial messages

Additional info:
It was told that we need either a brctl_exec and brctl_exec(hotplug_t) , or a brctl_domtrans(hotplug_t)

Included here is a module that fixes the problem.


Here is the selinux messages
#
type=AVC msg=audit(1263474294.301:38968): avc: denied { getattr } for pid=27804 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
 
#
type=SYSCALL msg=audit(1263474294.301:38968): arch=40000003 syscall=195 success=no exit=-13 a0=9ef77c0 a1=bf966cbc a2=b1dff4 a3=9ef77c0 items=0 ppid=26768 pid=27804 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
Comment 1 kc8hfi 2010-01-14 14:45:54 UTC 
More avc denial messages

#
time->Thu Jan 14 08:31:42 2010
#
type=SYSCALL msg=audit(1263475902.642:38971): arch=40000003 syscall=33 success=yes exit=0 a0=97907c0 a1=1 a2=b1dff4 a3=97907c0 items=0 ppid=29267 pid=29269 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263475902.642:38971): avc: denied { execute } for pid=29269 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
----
#
time->Thu Jan 14 08:31:42 2010
#
type=SYSCALL msg=audit(1263475902.642:38970): arch=40000003 syscall=195 success=yes exit=0 a0=97907c0 a1=bfa0f4cc a2=b1dff4 a3=97907c0 items=0 ppid=29267 pid=29269 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263475902.642:38970): avc: denied { getattr } for pid=29269 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
----
#
time->Thu Jan 14 08:31:42 2010
#
type=SYSCALL msg=audit(1263475902.653:38972): arch=40000003 syscall=11 success=yes exit=0 a0=97b3ce0 a1=97b42b8 a2=978de88 a3=97b42b8 items=0 ppid=29269 pid=29290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263475902.653:38972): avc: denied { execute_no_trans } for pid=29290 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
type=AVC msg=audit(1263475902.653:38972): avc: denied { read open } for pid=29290 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
----
#
time->Thu Jan 14 08:31:42 2010
#
type=SYSCALL msg=audit(1263475902.653:38973): arch=40000003 syscall=33 success=yes exit=0 a0=bf8e1b97 a1=4 a2=b1dff4 a3=bf8e1f45 items=0 ppid=29269 pid=29290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263475902.653:38973): avc: denied { read } for pid=29290 comm="brctl" name="unix" dev=proc ino=4026531975 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
#
----
#
time->Thu Jan 14 08:34:03 2010
#
type=SYSCALL msg=audit(1263476043.337:38975): arch=40000003 syscall=195 success=yes exit=0 a0=a0f47c0 a1=bfdaf66c a2=b1dff4 a3=a0f47c0 items=0 ppid=29409 pid=29410 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263476043.337:38975): avc: denied { getattr } for pid=29410 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
----
#
time->Thu Jan 14 08:34:03 2010
#
type=SYSCALL msg=audit(1263476043.338:38976): arch=40000003 syscall=33 success=yes exit=0 a0=a0f47c0 a1=1 a2=b1dff4 a3=a0f47c0 items=0 ppid=29409 pid=29410 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263476043.338:38976): avc: denied { execute } for pid=29410 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
----
#
time->Thu Jan 14 08:34:03 2010
#
type=SYSCALL msg=audit(1263476043.340:38977): arch=40000003 syscall=11 success=yes exit=0 a0=a117ce0 a1=a1182b8 a2=a0f1e88 a3=a1182b8 items=0 ppid=29410 pid=29434 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" 

subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263476043.340:38977): avc: denied { execute_no_trans } for pid=29434 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
type=AVC msg=audit(1263476043.340:38977): avc: denied { read open } for pid=29434 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
#
----
#
time->Thu Jan 14 08:34:03 2010
#
type=SYSCALL msg=audit(1263476043.340:38978): arch=40000003 syscall=33 success=yes exit=0 a0=bfc0b1e7 a1=4 a2=b1dff4 a3=bfc0bf45 items=0 ppid=29410 pid=29434 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
#
type=AVC msg=audit(1263476043.340:38978): avc: denied { read } for pid=29434 comm="brctl" name="unix" dev=proc ino=4026531975 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Comment 2 Daniel Walsh 2010-01-14 14:50:25 UTC 
Miroslav, 

Add brctl_domtrans(hotplug_t) to F11 and F12.
Comment 3 Carl G. 2010-01-17 00:49:25 UTC 
Did you had any feedback from Miroslav Daniel ?

---

Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 4 Miroslav Grepl 2010-01-18 08:35:32 UTC 
Fixed in selinux-policy-3.6.12-94.fc11.noarch and selinux-policy-3.6.32-71.fc12
Comment 5 Fedora Update System 2010-01-19 20:03:52 UTC 
selinux-policy-3.6.12-94.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-94.fc11
Comment 6 Fedora Update System 2010-01-21 00:11:30 UTC 
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0851
Comment 7 Fedora Update System 2010-02-05 01:16:11 UTC 
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.