Bug 619849
| Summary: | "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a bridge device | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Laine Stump <laine> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.0 | CC: | borgan, mgrepl, mmalik, syeghiay |
| Target Milestone: | rc | Keywords: | RHELNAK |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-36.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-11-10 21:35:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** Please attach the avc's that you are seeing? Sorry, I couldn't find them before - I was looking in /var/log/audit/audit.log and seeing nothing. Then I realized that auditd was disabled on this machine for some reason, so they're in /var/log/messages.
Here are the avc's when I run "ncftool ifup br0" (just execs /sbin/ifup) with selinux set to permissive:
------------------------------------------------------------------------
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.353:122): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.412:123): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.414:124): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
And here is what I get when I run ncftool ifdown br0 (just execs /sbin/ifdown):
--------------------------------------------------------------
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.504:125): avc: denied { dac_override } for pid=5980 comm="ncftool" capability=1 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.694:126): avc: denied { getattr } for pid=5980 comm="ifdown-eth" path="/var/run/dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:127): avc: denied { read } for pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:128): avc: denied { open } for pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:129): avc: denied { signal } for pid=5980 comm="ifdown-eth" scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=process
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:130): avc: denied { write } for pid=6041 comm="rm" name="run" dev=dm-0 ino=263681 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:131): avc: denied { remove_name } for pid=6041 comm="rm" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.019:132): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:07:41 rhel6 kernel: br0: port 1(eth0) entering disabled state
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.031:133): security_compute_sid: invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
--------------------------------------------------------------
Finally, here is what I get when I ifup an ethernet interface (although this seems to be successful even with selinux enforcing):
Jul 30 15:08:11 rhel6 kernel: type=1400 audit(1280516891.573:134): avc: denied { dac_override } for pid=6232 comm="ncftool" capability=1 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability
Dan, I will add
#######################################
## <summary>
## Execute brctl in the brctl domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`brctl_run',`
gen_require(`
type brctl_t, brctl_exec_t;
')
brctl_domtrans($1)
role $2 types brctl_t;
')
to brctl.if
---
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
to ncftool.te
---
and will change ncftool_run to
interface(`ncftool_run',`
gen_require(`
type ncftool_t;
')
ncftool_domtrans($1)
role $2 types ncftool_t;
brctl_run(ncftool_t, $2)
')
Laine,
you can allow it for now using
# cat > myncftool.te << _EOF
policy_module(myncftool, 1.0)
require{
type brctl_t;
role unconfined_r;
type ncftool_t;
type var_run_t;
}
role unconfined_r types brctl_t;
allow ncftool_t var_run_t:dir { write remove_name };
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myncftool.pp
Add files_rw_pid_dirs($1) to sysnet_delete_dhcpc_pid And ######################################## ## <summary> ## Add and remove entries from pid directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`files_rw_pid_dirs',` gen_require(` type var_run_t; ') allow $1 var_run_t:dir rw_dir_perms; ') TO files.if Thanks, I missed this one. Can you provide me with a scratch RPM to test this? There aren't many snapshots left, so I'd rather test ahead of time and be sure that what's going in is going to solve all the denials. Fixed in selinux-policy-3.7.19-36.el6.noarch. Yes, I've verified that this particular AVC no longer occurs with selinux-policy-3.7.19-36 Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |
With selinux enforcing, if I use ncftool to define a bridge device and ifup it, I get multiple "Permission denied" errors when ifup-eth tries to run /sbin/brctl. If selinux is permissive, there is no error. How to reproduce: 1) pick an interface that can be trashed on your machine, eg eth1, and save its config (this is just so you can restore it after you're finished with the bug): # ncftool dumpxml eth1 >/tmp/eth1.xml Now define a bridge for it: # cat >/tmp/br1.xml <interface type='bridge' name='br1'> <start mode='none'/> <protocol family='ipv4'> <dhcp/> </protocol> <bridge stp='on' delay='0'> <interface type='ethernet' name='eth1'> <mac address='00:22:15:59:62:97'/> </interface> </bridge> </interface> (you should take the mac address and protocol family='ipv4' sections from eth1.xml and plug them into the appropriate places here). # ncftool define /tmp/br1.xml Defined interface br1 Now try to start it up: # ncftool ifup br1 etc/sysconfig/network-scripts/ifup-eth: line 163: /usr/sbin/brctl: Permission denied /etc/sysconfig/network-scripts/ifup-eth: line 60: /usr/sbin/brctl: Permission denied Interface br1 bring-up failed! error: failed to execute external program error: Running 'ifup br1' failed with exit code 1 *********************************** If you then run either "ifup br1" directly, or "virsh iface-start br1" (which makes the same netcf library call as "ncftool ifup br1", but from the libvirtd process instead of ncftool), the bringup is successful. Likewise, if selinux is set to permissive it is successful.