Bug 619849
Summary: | "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a bridge device | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Laine Stump <laine> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 6.0 | CC: | borgan, mgrepl, mmalik, syeghiay |
Target Milestone: | rc | Keywords: | RHELNAK |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-36.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-10 21:35:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Laine Stump
2010-07-30 17:35:45 UTC
This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** Please attach the avc's that you are seeing? Sorry, I couldn't find them before - I was looking in /var/log/audit/audit.log and seeing nothing. Then I realized that auditd was disabled on this machine for some reason, so they're in /var/log/messages. Here are the avc's when I run "ncftool ifup br0" (just execs /sbin/ifup) with selinux set to permissive: ------------------------------------------------------------------------ Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.353:122): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.412:123): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.414:124): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process And here is what I get when I run ncftool ifdown br0 (just execs /sbin/ifdown): -------------------------------------------------------------- Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.504:125): avc: denied { dac_override } for pid=5980 comm="ncftool" capability=1 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.694:126): avc: denied { getattr } for pid=5980 comm="ifdown-eth" path="/var/run/dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:127): avc: denied { read } for pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:128): avc: denied { open } for pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:129): avc: denied { signal } for pid=5980 comm="ifdown-eth" scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=process Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:130): avc: denied { write } for pid=6041 comm="rm" name="run" dev=dm-0 ino=263681 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:131): avc: denied { remove_name } for pid=6041 comm="rm" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.019:132): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process Jul 30 15:07:41 rhel6 kernel: br0: port 1(eth0) entering disabled state Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.031:133): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process -------------------------------------------------------------- Finally, here is what I get when I ifup an ethernet interface (although this seems to be successful even with selinux enforcing): Jul 30 15:08:11 rhel6 kernel: type=1400 audit(1280516891.573:134): avc: denied { dac_override } for pid=6232 comm="ncftool" capability=1 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability Dan, I will add ####################################### ## <summary> ## Execute brctl in the brctl domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`brctl_run',` gen_require(` type brctl_t, brctl_exec_t; ') brctl_domtrans($1) role $2 types brctl_t; ') to brctl.if --- sysnet_read_dhcpc_pid(ncftool_t) sysnet_signal_dhcpc(ncftool_t) to ncftool.te --- and will change ncftool_run to interface(`ncftool_run',` gen_require(` type ncftool_t; ') ncftool_domtrans($1) role $2 types ncftool_t; brctl_run(ncftool_t, $2) ') Laine, you can allow it for now using # cat > myncftool.te << _EOF policy_module(myncftool, 1.0) require{ type brctl_t; role unconfined_r; type ncftool_t; type var_run_t; } role unconfined_r types brctl_t; allow ncftool_t var_run_t:dir { write remove_name }; sysnet_read_dhcpc_pid(ncftool_t) sysnet_signal_dhcpc(ncftool_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i myncftool.pp Add files_rw_pid_dirs($1) to sysnet_delete_dhcpc_pid And ######################################## ## <summary> ## Add and remove entries from pid directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`files_rw_pid_dirs',` gen_require(` type var_run_t; ') allow $1 var_run_t:dir rw_dir_perms; ') TO files.if Thanks, I missed this one. Can you provide me with a scratch RPM to test this? There aren't many snapshots left, so I'd rather test ahead of time and be sure that what's going in is going to solve all the denials. Fixed in selinux-policy-3.7.19-36.el6.noarch. Yes, I've verified that this particular AVC no longer occurs with selinux-policy-3.7.19-36 Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |