Bug 632812
| Summary: | SELinux запрещает /sbin/ifconfig доступ к дескриптору файла netlink_rout | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | sx2010 <vadimamc> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | atulmodi, dwalsh, mgrepl, renich, slavoon2, stephent98, vadimamc, willdeed |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:31ac60ce02ee57f630168fde79e8123681f15df9781c593548a982c6c612c496 | ||
| Fixed In Version: | selinux-policy-3.7.19-65.fc13 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-10-19 07:05:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
sx2010
2010-09-11 05:22:52 UTC
Have to add
ifdef(`hide_broken_symptoms', `
dontaudit ifconfig_t $1:socket_class_set { read write };
')
to the domtrans.
Fixed in selinux-policy-3.7.19-64.fc13 This is with F14, but the report got hashed here. Maybe the release should be included in the hash. Anyway, this happened while using system-config-network to deactivate/activate networking in a configuration without NetworkManager. Summary: SELinux is preventing /sbin/ip access to a leaked netlink_route_socket file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the ip command. It looks like this is either a leaked descriptor or ip output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects netlink_route_socket [ netlink_route_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host (removed) Source RPM Packages iproute-2.6.35-3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux cedar 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Tue 05 Oct 2010 03:14:33 PM PDT Last Seen Tue 05 Oct 2010 03:26:23 PM PDT Local ID 5926c7cc-8bf6-49a7-a372-c436ac5eddf8 Line Numbers Raw Audit Messages node=cedar type=AVC msg=audit(1286317583.754:27501): avc: denied { read write } for pid=7013 comm="ip" path="socket:[194112]" dev=sockfs ino=194112 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=cedar type=SYSCALL msg=audit(1286317583.754:27501): arch=c000003e syscall=59 success=yes exit=0 a0=e3f9f0 a1=dbe800 a2=e6a300 a3=1 items=0 ppid=6996 pid=7013 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null) Well we role fixes forward. I you use the lastest F14 policy it should be fixed there also. selinux-policy-3.9.5-10.fc14 Bug 632812 isn't list here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.5-10.fc14 Summary: SELinux is preventing /sbin/ip access to a leaked netlink_route_socket file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the ip command. It looks like this is either a leaked descriptor or ip output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects netlink_route_socket [ netlink_route_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host cedar Source RPM Packages iproute-2.6.35-3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-10.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name cedar Platform Linux cedar 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 5 First Seen Tue 05 Oct 2010 03:14:33 PM PDT Last Seen Wed 06 Oct 2010 08:24:34 AM PDT Local ID 5926c7cc-8bf6-49a7-a372-c436ac5eddf8 Line Numbers Raw Audit Messages node=cedar type=AVC msg=audit(1286378674.435:27449): avc: denied { read write } for pid=2490 comm="ip" path="socket:[22895]" dev=sockfs ino=22895 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=cedar type=SYSCALL msg=audit(1286378674.435:27449): arch=c000003e syscall=59 success=yes exit=0 a0=1a4de60 a1=19cc800 a2=1a78300 a3=8 items=0 ppid=2472 pid=2490 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null) What tool were you running when this happened? system-config-network? If you are running system-config-network I think you are seeing the same problem as https://bugzilla.redhat.com/show_bug.cgi?id=640475 (In reply to comment #6) > What tool were you running when this happened? > > system-config-network? Yes, the denials in comment 3 and comment 5 occurred while running system-config-network. The latter was with: initscripts-9.20.1-1.fc14.x86_64 selinux-policy-3.9.5-10.fc14.noarch selinux-policy-targeted-3.9.5-10.fc14.noarch system-config-network-1.6.1-1.fc14.noarch selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13 selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13 selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |