Bug 604573

Summary: SElinux problem found in netcf (without config files) bridge-nf-call-iptables
Product: Red Hat Enterprise Linux 6 Reporter: Jan Ščotka <jscotka>
Component: netcfAssignee: Laine Stump <laine>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-16 10:06:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 584893    
Attachments:
Description Flags
strace of command none

Description Jan Ščotka 2010-06-16 09:25:08 UTC 
Description of problem:
When testing netcf package I found problem with selinux. 
error: can not open /proc/sys/net/bridge/bridge-nf-call-iptables: Permission denied.


Version-Release number of selected component (if applicable):
# rpm -qa netcf
netcf-0.1.6-1.el6.i686


How reproducible:
100%

Steps to Reproduce:
1. # netcf -d

Actual results:
Failed to initialize netcf
error: File operation failed
error: can not open /proc/sys/net/bridge/bridge-nf-call-iptables: Permission denied


Expected results:
no error, or only error that config file not found

Additional info:
message from /var/log/audit/audit.log for this event:

type=AVC msg=audit(1276680230.516:25392): avc:  denied  { search } for  pid=11950 comm="ncftool" scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1276680230.516:25392): arch=40000003 syscall=5 success=no exit=-13 a0=9ce9820 a1=0 a2=1b6 a3=4698e6 items=0 ppid=11894 pid=11950 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1006 comm="ncftool" exe="/usr/bin/ncftool" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
Comment 2 Jan Ščotka 2010-06-16 09:37:49 UTC 
my network config if it is important (have onw bridged net)
# ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:57:A4:C9  
          inet addr:10.16.64.63  Bcast:10.16.71.255  Mask:255.255.248.0
          inet6 addr: fec0:0:a10:4000:20a:5eff:fe57:a4c9/64 Scope:Site
          inet6 addr: fe80::20a:5eff:fe57:a4c9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7206204 errors:0 dropped:0 overruns:1 frame:0
          TX packets:36642 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:570006054 (543.6 MiB)  TX bytes:3402878 (3.2 MiB)
          Interrupt:19 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14932 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14932 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6468798 (6.1 MiB)  TX bytes:6468798 (6.1 MiB)

next      Link encap:Ethernet  HWaddr 00:0A:5E:57:A4:C9  
          inet addr:10.16.64.63  Bcast:10.16.71.255  Mask:255.255.248.0
          inet6 addr: fec0:0:a10:4000:20a:5eff:fe57:a4c9/64 Scope:Site
          inet6 addr: fe80::20a:5eff:fe57:a4c9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5893720 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28418 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:373270604 (355.9 MiB)  TX bytes:2597953 (2.4 MiB)

tap0      Link encap:Ethernet  HWaddr BE:E2:A9:9F:E7:B2  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::bce2:a9ff:fe9f:e7b2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023835 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap1      Link encap:Ethernet  HWaddr C6:07:1C:2F:BC:D5  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::c407:1cff:fe2f:bcd5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023834 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap2      Link encap:Ethernet  HWaddr 1A:B6:AE:11:E9:1E  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::18b6:aeff:fe11:e91e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023833 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap3      Link encap:Ethernet  HWaddr AA:A2:44:83:E3:73  
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::a8a2:44ff:fe83:e373/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023832 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap4      Link encap:Ethernet  HWaddr DA:19:BF:F1:AA:FD  
          inet addr:192.168.4.1  Bcast:192.168.4.255  Mask:255.255.255.0
          inet6 addr: fe80::d819:bfff:fef1:aafd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023833 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
Comment 4 RHEL Program Management 2010-06-16 09:53:13 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 5 Laine Stump 2010-06-16 10:06:47 UTC 
This sounds very much like a bug that was already fixed, but I can't find the
exact bug for some reason. At any rate, it's certainly something that would
fall in the realm of Bug 593708, which is already well on its way to
resolution.

*** This bug has been marked as a duplicate of bug 593708 ***
Comment 6 Jan Ščotka 2010-06-16 11:02:55 UTC 
Hi,
it is possible, it seem similar.
Problem is that it is not fixed in version of rebased netcf from 
https://bugzilla.redhat.com/show_bug.cgi?id=584893
Comment 7 Laine Stump 2010-06-16 12:00:48 UTC 
Jan - the problem isn't solved by a new netcf package. It's solved by a new selinux-policy package.
Comment 8 Jan Ščotka 2010-06-16 12:35:27 UTC 
Created attachment 424430 [details]
strace of command

Yep,
it was problem of selinux, so mgrepl build new one for it:
https://brewweb.devel.redhat.com/buildinfo?buildID=135036

then problem disappear. But appear second one:

# ncftool
Failed to initialize netcf
error: unspecified error

Is it big problem, or only smaller one (some of my mistake)
I expected some interactive console of netcf tool.
strace of command attached
Comment 9 Daniel Walsh 2010-06-16 13:26:42 UTC 
Please update the other bug report with newer avc messages.
Comment 10 Jan Ščotka 2010-06-16 13:35:53 UTC 
Problem is, that second problem isn't caused by selinux (no audit.log messages, same problem with setenforce 0),
it seems to be a problem of netcf.
Okay, I'll create new