Bug 678845

Summary: SELinux is preventing /sbin/ifconfig from read, write access on the netlink_route_socket netlink_route_socket.
Product: [Fedora] Fedora Reporter: Richard Haakma <richard>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:ffeb9ce4a18c9d14e9b71f3996b6217766eedf4f09a437a3901f812f1c1687f8
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-11 15:28:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Richard Haakma 2011-02-20 10:21:06 UTC
SELinux is preventing /sbin/ifconfig from read, write access on the netlink_route_socket netlink_route_socket.

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that ifconfig should be allowed read write access on the netlink_route_socket netlink_route_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ifconfig /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore ifconfig trying to read write access the netlink_route_socket netlink_route_socket, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/ifconfig /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:ifconfig_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                netlink_route_socket [ netlink_route_socket ]
Source                        ifconfig
Source Path                   /sbin/ifconfig
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           net-tools-1.60-105.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7
                              06:57:55 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Sun 20 Feb 2011 11:16:14 PM NZDT
Last Seen                     Sun 20 Feb 2011 11:16:14 PM NZDT
Local ID                      7734ce9d-09b8-478d-a448-a56318a35d80

Raw Audit Messages
type=AVC msg=audit(1298196974.740:28517): avc:  denied  { read write } for  pid=2594 comm="ifconfig" path="socket:[32447]" dev=sockfs ino=32447 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket


type=SYSCALL msg=audit(1298196974.740:28517): arch=i386 syscall=execve success=yes exit=0 a0=9ae84a0 a1=9ae7560 a2=9ae53b8 a3=9ae7560 items=0 ppid=2593 pid=2594 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=ifconfig exe=/sbin/ifconfig subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)

Hash: ifconfig,ifconfig_t,unconfined_t,netlink_route_socket,read,write

audit2allow

#============= ifconfig_t ==============
allow ifconfig_t unconfined_t:netlink_route_socket { read write };

audit2allow -R

#============= ifconfig_t ==============
allow ifconfig_t unconfined_t:netlink_route_socket { read write };

Comment 1 Richard Haakma 2011-02-20 10:27:53 UTC
I should add to the report above that it occurred when activating a ppp connection over my modem, as I was testing that dialup still works.  The ppp connection is up and working despite selinux denying ifconfig.

Comment 2 Miroslav Grepl 2011-02-21 08:40:10 UTC
This is a leak. 

Which tool were you using?


Also you can dontaudit it using 

# grep /sbin/ifconfig /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Comment 3 Richard Haakma 2011-02-21 21:34:32 UTC
My desktop is probably a little unusual, it's been upgraded through most versions between Core 10 or so to 14, so has some setup which isn't properly integrated with NetworkManager.  The ppp dialup was not available in NetworkManager applet so I had to uncheck Controlled by NetworkManager in system-config-network 1.6.2 and start it from there.

Contents of /etc/sysconfig/network-scripts/ifcfg-planet:

DEVICE=ppp0
BOOTPROTO=dialup
TYPE=Modem
NM_CONTROLLED=no
ONBOOT=no
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
AC=off
BSDCOMP=off
VJCCOMP=off
CCP=off
PC=off
VJ=off
LINESPEED=115200
MODEMPORT=/dev/ttyS0
IDLETIMEOUT=600
PROVIDER=planet
DEFROUTE=yes
PERSIST=no
PAPNAME=richard
WVDIALSECT=planet
MODEMNAME=Modem0
DEMAND=no
PPPOPTIONS=

Comment 4 Daniel Walsh 2011-02-21 23:19:21 UTC
I would bet system-config-network.

Comment 5 Daniel Walsh 2011-03-11 15:28:47 UTC
If it happens again please reopen.