Bug 622796
| Summary: | SELinux is preventing /usr/sbin/ntpd access to a leaked netlink_route_socket file descriptor. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Rodd Clarkson <rodd> |
| Component: | firstboot | Assignee: | Martin Gracik <mgracik> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 14 | CC: | abdrahim_, adam, adron8, ahufiliztas, airholm, akshay.suthar, alex_8_9, anurag, avinash.suratkal, benjaminjrood, bjoernhoppe, bugs0, bugzilla, bugzilla, bugzilla, cfpcompte, chester_net, cheun1, christopher.swift, codyross18, coelho.bessa.felipe, coldreactive, cptdavidcochran, curtis, damien, dangets, danielbduncan, daniel_prieto, davekin50, davematel, DeaGl3V, dilworthscott, dmach, dmchudzinski, donnellydw, doom_ii, dsteves, dstock7337, dtimms, dude8724, dwalsh, engelhart01, eric.rannaud, eternal_demonic_angel, extremoburo, fabrice.perina, fast3furious, fedora, fedoraproject, fkooman, flokip, funkypotatoe, green_hu_man, green, gsandu1, gunnar_thielebein, guntis, gwmorris, halb_b, hicham.haouari, hopparz, huguenv, iblarsen123, inszyby, iscsi.hungry, ivo, jacopo.serafini, jacquesstud04, jaivuk, jambi5ba, jdobbs, jdorff, jedh, jeff.childers, jeff, jfrieben, jk, jlaska, joe.christy, joostvandorp, joshuajrbennett, jreznik, jsmith.fedora, keviand0112, k.goddard, kjiec4, kjscott00, kwesi_arkoh, lan4pal, Lasander, leendert_schouten, lewcat111, linas.r, Link-82, liywenhui, llbrunoll, lmojzis, lucashby, lukaszlucka, madhavvamsi716, mail, marcridilla, masami256, mason, mattia.tristo, mgrepl, michael, michael.faille, MICHAELJONES36, michalek.fabis, mike, morris.levy, mr.matthew.tober, mtbasus, musicalboss, naoki, nccs, necro351, nimilsoman, noesgaard, noizls, olbi3009, olivares14031, oppiet35, orion520a, oxx2k-bugzilla, palango, papajohnb89, paulcscheung, pavel.stehule, pcsnow, philip.chimento, pinode, plr4ever, postawa, rajatjpatel, rcpao1+bugzilla-redhat-com, rebus, reelkaas, rhyphonous, rianby64, riccardo, richardherist, robertfarmer37, Robert-Martin, roberto.antonetti, rob, roccella, roman, ryans, sakji.mohamed.habib, salixman40, sandro, saresoarc, satellitgo, scrillasteve, skutr34, ssabcew, ssanders, stainedshuriken, sugarpotpie, suneetd, tadej.j, talbott.preston, tarik, tcfxfzoi, tdaffan, themiskont, thomasmjaeger, tomas.n.oliveira, tomas.ostlund42, tscott, tsozik, twegener, unmesh.ballal, vaden, varunaseneviratna, viabsb, vleolml, v.plessky, vrooli, whitefox6910, wmealing, wolfgang, xaver, xpd259, yvon.endicott, yx-412, zbechir, zhaofei90, z.sekera |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:4fdbb14406875978bcfe53a0dda129963168514b153e4355fd502a698a12c3f2 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-31 06:55:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 739684 | ||
|
Description
Rodd Clarkson
2010-08-10 12:50:50 UTC
This may only occur if during firstboot, the user chooses time setting to be 'get from network'. No update on this bug so far, but I wasn't able to reproduce this while I did several installations of F14 Final TC1.1 today that should trigger this. Can anyone still reproduce this in TC1.x? Reproduced today with a fresh install from the F14 Final TC6 Gnome LiveCD. I can reproduce it in F14 RC1. NPT server set up in Firstboot but I think this bug should be reassigned to ntpd, shouldn't be? Well ntpd is not leaking, something that firstboot executes before executing ntpd restart is causing the problem. system-config-network? hello all, i habe this error-msg every update. (german lang. version SElinux below - is the same as Rodd Clarkson 2010-08-10 08:50:50 EDT) ahoi majestyx -------------------------------------------------- Zusammenfassung: SELinux hindert /usr/sbin/tzdata-update am Zugriff auf einen /tmp/tmp9wX9eF Dateideskriptorleck. Detaillierte Beschreibung: [tzdata-update hat einen zugelassenen Typ (tzdata_t). Dieser Zugriff wurde nicht verweigert.] SELinux verweigerte den vom tzdata-update-Befehl angeforderten Zugriff. Dies kann entweder ein Leck des Dateideskriptors sein, oder tzdata-update Ausgabe wurde an eine Datei umgeleitet, für die es kein Zugriffsrecht besitzt. Lecks können in der Regel ignoriert werden, denn SELinux schließt einfach das Leck und meldet den Fehler. Die Anwendung wird den Deskriptor nicht verwenden und infolgedessen einwandfrei funktionieren. Falls dies eine Umleitung ist, werden Sie keine Ausgabe im /tmp/tmp9wX9eF erhalten. Sie sollten einen Fehlerbericht für selinux-policy einreichen, der anschließend dem richtigen Paket zugeordnet wird. Sie können diese AVC bedenkenlos ignorieren Zugriff erlauben: Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu erlauben - siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Zusätzliche Informationen: Quellkontext system_u:system_r:tzdata_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:initrc_tmp_t:s0 Zielobjekte /tmp/tmp9wX9eF [ file ] Quelle tzdata-update Quellpfad /usr/sbin/tzdata-update Port <Unbekannt> Host mydesktop RPM-Pakete der Quelle glibc-common-2.12.1-2 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.7.19-65.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Enforcing Plugin-Name leaks Rechnername mydesktop Plattform Linux desktop.cacn 2.6.34.7-56.fc13.i686.PAE #1 SMP Wed Sep 15 03:27:15 UTC 2010 i686 i686 Anzahl der Alarme 8 Zuerst gesehen Mi 15 Sep 2010 22:03:49 CEST Zuletzt gesehen Fr 22 Okt 2010 07:01:15 CEST Lokale ID 5a61c6f3-7b05-42b5-a47b-7010b1758270 Zeilennummern Raw-Audit-Meldungen node=mydesktop type=AVC msg=audit(1287723675.87:24955): avc: denied { read append } for pid=13639 comm="tzdata-update" path="/tmp/tmp9wX9eF" dev=dm-0 ino=395514 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file node=mydesktop type=AVC msg=audit(1287723675.87:24955): avc: denied { read append } for pid=13639 comm="tzdata-update" path="/tmp/tmp9wX9eF" dev=dm-0 ino=395514 scontext=system_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file node=mydesktop type=SYSCALL msg=audit(1287723675.87:24955): arch=40000003 syscall=11 success=yes exit=0 a0=a769720 a1=9be5e58 a2=9be5e70 a3=0 items=0 ppid=13473 pid=13639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=system_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null) Michael, your issue is different. Please execute # restorecon -R -v /usr/libexec/packagekitd Should fix. Hello Miroslav, done, output is: #restorecon reset /usr/libexec/packagekitd context #system_u:object_r:bin_t:s0->system_u:object_r:rpm_exec_t:s0 thx for Help. I just installed F14 RC1 live X_86. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.9.7-6.fc14 hello daniel thx, i have done. and it looks like to work.... I have just installed the final release of Fedora 14 today from the 64bit Live CD. I got the same error on my first boot after choosing to synchronise my time using ntp in the firstboot configuration screen. This bug still exists in the final disc. (In reply to comment #12) > I have just installed the final release of Fedora 14 today from the 64bit Live > CD. I got the same error on my first boot after choosing to synchronise my > time using ntp in the firstboot configuration screen. This bug still exists in > the final disc. Note, this bug is still in MODIFIED which means a fix has been included in the selinux-policy source. However, an update that includes this fix has not yet been created and provided through bodhi (https://admin.fedoraproject.org/updates/search/selinux-policy). The current selinux-policy in Fedora 14 is selinux-policy-3.9.7-7.fc14. Once an update that fixes this issue is available, and this bug is linked in the bodhi update, the bug will move to ON_QA. At that point a new selinux-policy package will be available for testing. f14-i686-live-desktop installed to Virtualbox with liveinst (MacBook Air Oracle Virtualbox for OSX) used network server for time setting in firstboot. Same error Anyone else have the 32bit version? This, followed by a few other issues. Just started testing Unix/Linux about 4 months ago, so I take notes each time I test a new distro. I did the partitioning, but had to skip the initial network configuration. 1st, I was getting an error about the wlan0 being undetected. I tried again with the wireless on & got the same error message, but it said eth0 instead of wlan0. The third time, I turned them both on, but picked the alternative do it later button. I used the NTP option too. I wasn't sure about the update error, so I killed the GUI process all together. I lost patience, opened the terminal. I assumed it would be similar to the other 4 distributions I've been testing, same shells, w/either GNOME or KDE. Not nearly as easy. On a positive note, it's probably more secure than others. I ruled out integrity as an issue. I just purchased a six disk 64bit & the same set 32bit, from a vendor. Amen for Linux/Unix massive community forums. I have not cleared my cache or history yet. I still have a lot of learning to do. I wouldn't know what to look for. So, if anyone would like to see them... Summary: SELinux is preventing /usr/sbin/ntpd access to a leaked netlink_route_socket file descriptor. Detailed Description: [ntpd has a permissive type (ntpd_t). This access was not denied.] SELinux denied access requested by the ntpd command. It looks like this is either a leaked descriptor or ntpd output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:ntpd_t:s0 Target Context system_u:system_r:firstboot_t:s0 Target Objects netlink_route_socket [ netlink_route_socket ] Source ntpd Source Path /usr/sbin/ntpd Port <Unknown> Host (removed) Source RPM Packages ntp-4.2.6p2-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-3.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 16 Dec 2010 06:34:44 PM CST Last Seen Thu 16 Dec 2010 06:34:44 PM CST Local ID 43c48f70-2eb7-4d0c-90ab-e7a78212a534 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1292546084.890:32392): avc: denied { read write } for pid=1695 comm="ntpd" path="socket:[13991]" dev=sockfs ino=13991 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:firstboot_t:s0 tclass=netlink_route_socket node=(removed) type=SYSCALL msg=audit(1292546084.890:32392): arch=40000003 syscall=11 success=yes exit=0 a0=85d7d18 a1=85d7ff8 a2=85d8280 a3=85d7ff8 items=0 ppid=1694 pid=1695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key=(null) Please update to the latest selinux policy and this avc will be dontaudited. selinux-policy-3.9.7-17.fc14 Shouldn't the component be changed to selinux-policy? If an application is leaking a a file descriptor, how is this SELinux problem. We are just covering it up by dontauditing the bug. I see. Firstboot uses a module from system-config-date, does this also happen if you try to setup ntpd in system-config-date ? We have never seen it there. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. got this on my first boot, let me know if it is not approprate to post this as I am new to bug reporting... Summary: SELinux is preventing ntpd "read write" access on netlink_route_socket. Detailed Description: SELinux denied access requested by ntpd. It is not expected that this access is required by ntpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:ntpd_t:s0 Target Context system_u:system_r:firstboot_t:s0 Target Objects netlink_route_socket [ netlink_route_socket ] Source ntpd Source Path ntpd Port <Unknown> Host sepioteuthis-lessoniana.industrialite Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.7-3.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name sepioteuthis-lessoniana.industrialite Platform Linux sepioteuthis-lessoniana.industrialite 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686 Alert Count 1 First Seen Sun 20 Feb 2011 03:04:01 PM CST Last Seen Sun 20 Feb 2011 03:04:01 PM CST Local ID 00b6cb18-32e2-4279-9c35-66c8b87db3c4 Line Numbers Raw Audit Messages node=sepioteuthis-lessoniana.industrialite type=AVC msg=audit(1298235841.476:9): avc: denied { read write } for pid=1392 comm="ntpd" path="socket:[13421]" dev=sockfs ino=13421 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:firstboot_t:s0 tclass=netlink_route_socket yum -y update dontaudited in latest policy Just happened with VirtualBox (Host: Win7-64, Guest: just-installed from Fedora-14-x86_64-Live-Desktop.iso , set to dual-CPU with NX/VM enabled) I would guess the livecd had an older version of SELinux policy. (In reply to comment #25) > I would guess the livecd had an older version of SELinux policy. Apparently so, I get this with the LiveCD after install (x86-64) Well you can ignore this bug,since it is fixed in the latest code. (In reply to comment #1) > This may only occur if during firstboot, the user chooses time setting to be > 'get from network'. Yes. I chose get from network as a trial. Generally I do not do this. Also I reproduced this by reinstalling the same way. Just to see if it didn't happen this time. So I presume that this will not happen when I upgrade to 15. I am brand new so can someone tell me, if I get the same error again I should report each incidence? Your response is so right on. You guys are on it. That is great. I can tell I'll be learning alot. Gina, You probably shouldn't get this exact error message again. If you do get it again from another release it is worthwhile reporting it, but I believe the abrt tool should report it under a different hash. This should be fixed in the Fedora 15 release, I did the installation method the same way you did and didn't see the problem. I think this particular bug is fixed for all users after their first system update. (In reply to comment #29) > Gina, > > You probably shouldn't get this exact error message again. If you do get it > again from another release it is worthwhile reporting it, but I believe the > abrt tool should report it under a different hash. > > This should be fixed in the Fedora 15 release, I did the installation method > the same way you did and didn't see the problem. > > I think this particular bug is fixed for all users after their first system > update. Thank you Wade. My hp pavilion 520n works with Fedora 14. It is an i686 processr. It does not work with Fedora 15 I believe. I tried Katya Lime and Ubuntu 11 and it won't work with those. I think I found my Linux in Fedora 14 for this machine. I don't think I'll be upgrading to 15 unless they make compatability changes. Just fyi. I haven't gone looking for where I should post this yet. Thank you! |