Bug 677793

Summary:	SELinux is preventing /sbin/ip from read, write access on the netlink_route_socket netlink_route_socket.
Product:	[Fedora] Fedora	Reporter:	Alex <a.delachenal>
Component:	system-config-network	Assignee:	Harald Hoyer <harald>
Status:	CLOSED DUPLICATE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	14	CC:	dwalsh, harald, jmoskovc, jpopelka, mgrepl
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:4baf5a55e561f64d6aa84d7d5466f30e76e0dfeb69a1f838db422e118eadcc77
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-02-17 14:51:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alex 2011-02-15 21:02:44 UTC

SELinux is preventing /sbin/ip from read, write access on the netlink_route_socket netlink_route_socket.

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore ip trying to read write access the netlink_route_socket netlink_route_socket, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/ip /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that ip should be allowed read write access on the netlink_route_socket netlink_route_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ip /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                netlink_route_socket [ netlink_route_socket ]
Source                        ip
Source Path                   /sbin/ip
Port                          <Sconosciuto>
Host                          (removed)
Source RPM Packages           iproute-2.6.35-6.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP
                              Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    mar 15 feb 2011 21:59:49 CET
Last Seen                     mar 15 feb 2011 21:59:51 CET
Local ID                      d65cbbde-5214-456c-ad46-75978b8ae710

Raw Audit Messages
type=AVC msg=audit(1297803591.599:28212): avc:  denied  { read write } for  pid=13416 comm="ip" path="socket:[215080]" dev=sockfs ino=215080 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket


type=SYSCALL msg=audit(1297803591.599:28212): arch=x86_64 syscall=execve success=yes exit=0 a0=127d4e0 a1=125fe70 a2=12667c0 a3=8 items=0 ppid=13397 pid=13416 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)

Hash: ip,ifconfig_t,unconfined_t,netlink_route_socket,read,write

audit2allow

#============= ifconfig_t ==============
#!!!! This avc is allowed in the current policy

allow ifconfig_t unconfined_t:netlink_route_socket { read write };

audit2allow -R

#============= ifconfig_t ==============
#!!!! This avc is allowed in the current policy

allow ifconfig_t unconfined_t:netlink_route_socket { read write };

Comment 1 Miroslav Grepl 2011-02-15 22:02:38 UTC

Do you know which tool you were using when this happened?

Comment 2 Alex 2011-02-16 02:09:02 UTC

yep
my son had unplugged my Linuxbox, so I had to reactivate the eth0 device via system-config-network

BTW, even if it worked ok, I have seen flashing the same SELinux warning (AVC refusal, or perhaps denial) at least 3 more times in the following hours -- and I have always eliminated it without bothering too much, but why?
I have run (as root, #) the suggestion to default it. Should I perhaps restart the machine before it applies?

Thanks for inquiring

Comment 3 Miroslav Grepl 2011-02-16 14:27:33 UTC

This is a leak. 

You don't need to restart your machine after

# grep /sbin/ip /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

which will dontaudit it for you.

Comment 4 Daniel Walsh 2011-02-16 20:09:11 UTC

system-config-network should not be leaking file descriptors.

Comment 5 Jiri Popelka 2011-02-17 08:16:09 UTC

Probably duplicate of bug #640475.

Comment 6 Daniel Walsh 2011-02-17 14:51:30 UTC


*** This bug has been marked as a duplicate of bug 640475 ***