Bug 712695

Summary: SELinux is preventing /sbin/iptables-multi from read, write access on the file /tmp/ffiTNNqUA (deleted).
Product: [Fedora] Fedora Reporter: Erik Squires <erik_squires>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:9b0e57debf1d2c0f960dc65e8ed99f385cd75cdfd56cfd1c26df34ef97b6c4d9
Fixed In Version: selinux-policy-3.9.16-30.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-24 03:53:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Erik Squires 2011-06-12 14:43:59 UTC
This appears related to my continuing problems to get Fail2Ban to work reliably under Fedora 15.  

For more information, e-mail erik UNDERSCORE squires@hotmail    YOU KNOW THE REST

SELinux is preventing /sbin/iptables-multi from read, write access on the file /tmp/ffiTNNqUA (deleted).

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that iptables-multi should be allowed read write access on the ffiTNNqUA (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iptables /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore iptables-multi trying to read write access the ffiTNNqUA (deleted) file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /sbin/iptables-multi /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:iptables_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /tmp/ffiTNNqUA (deleted) [ file ]
Source                        iptables
Source Path                   /sbin/iptables-multi
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           iptables-1.4.10-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.7-30.fc15.x86_64 #1 SMP Fri May 27 05:15:53
                              UTC 2011 x86_64 x86_64
Alert Count                   23
First Seen                    Tue 07 Jun 2011 12:08:30 AM EDT
Last Seen                     Sat 11 Jun 2011 12:58:10 PM EDT
Local ID                      03922eb6-f6bf-4760-b257-953fd97c358f

Raw Audit Messages
type=AVC msg=audit(1307811490.788:293): avc:  denied  { read write } for  pid=3111 comm="iptables" path=2F746D702F666669544E4E715541202864656C6574656429 dev=dm-1 ino=8063 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1307811490.788:293): arch=x86_64 syscall=execve success=yes exit=0 a0=25b2b90 a1=25b3230 a2=25b1b30 a3=1 items=0 ppid=1499 pid=3111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables exe=/sbin/iptables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables,iptables_t,tmp_t,file,read,write

audit2allow

#============= iptables_t ==============
allow iptables_t tmp_t:file { read write };

audit2allow -R

#============= iptables_t ==============
allow iptables_t tmp_t:file { read write };

Comment 1 Dominick Grift 2011-06-12 16:16:07 UTC
Some fixes were added to the latest selinux-policy for Fedora 15. Some known issues were not yet back ported and are only in rawhide and i also see an issue in your report that has not yet been reported.

You can help us by trying latest selinux-policy and selinux-policy-targeted which is available here:

http://koji.fedoraproject.org/koji/buildinfo?buildID=247153

Make sure that this file is gone when you test: /tmp/ffiTNNqUA

You will also hit an issue where fail2ban wants to run ldconfig. The fix for that issue is not in Fedora 15 but you could work around that by applying the following loadable module:

mkdir ~/myf2b; cd ~/myf2b; echo "policy_module(mf2b, 1.0.0) optional_policy(\` gen_require(\` type fail2ban_t; ') libs_exec_ldconfig(fail2ban_t) ')" > myf2b.te;

make -f /usr/share/selinux/devel/Makefile myf2b.pp
sudo semodule -i myf2b.pp

If you are able to, please test in permissive mode and enclose all the AVC denials that you are seeing so that we a complete view of the current status.

Comment 2 Dominick Grift 2011-06-12 16:52:41 UTC
There was a type in the above:

mkdir ~/myf2b; cd ~/myf2b; echo "policy_module(myf2b, 1.0.0) optional_policy(\`
gen_require(\` type fail2ban_t; ') libs_exec_ldconfig(fail2ban_t) ')" >
myf2b.te;

Comment 3 Erik Squires 2011-06-12 16:58:49 UTC
Hi Dominick,

Two questions:  

1.  I had already munged the SE policies by adding something to allow python to write to /tmp.  Do you want me to undo that before testing?  If so, how? Sorry, I just followed the directions given by the AVC alerts. 

Are you sure you want me to test in permissive mode?  setenforce 0? 

Thanks! 


Erik

Comment 4 Dominick Grift 2011-06-12 17:05:57 UTC
(In reply to comment #3)
> Hi Dominick,
> 
> Two questions:  
> 
> 1.  I had already munged the SE policies by adding something to allow python to
> write to /tmp.  Do you want me to undo that before testing?  If so, how? Sorry,
> I just followed the directions given by the AVC alerts. 

Yes please the report suggested a solution that is not optimal. To undo:

sudo semodule -r mypol

> Are you sure you want me to test in permissive mode?  setenforce 0? 

Only if you are comfortable with that. It might save us some time if you do.

setenforce 0; do testing; setenforce 1

After testing do not forget to go back into enforcing mode.

> Thanks! 
> 
> 
> Erik

Comment 5 Erik Squires 2011-06-12 17:10:51 UTC
Can do.  This box is still in development stage, so nothing secret or critical here.  Will get back to you later today.

Comment 6 Erik Squires 2011-06-12 21:54:52 UTC
Well, it seems I have broken my entire installation.  I used yum to uninstall the previous selinux-policy.  Then installed the one just downloaded.  

On reboot I'd see this message:  Cannot find /etc/selinux/targeted/policy/policy.24 (number of the previous one). 

I then tried using default mode to use Yum to restore it, but I wasn't smart enough to get the networking fully operational, so after a few hours banging on this I'm restoring from CD.

Comment 7 Erik Squires 2011-06-13 02:12:08 UTC
I've tried this with the .29 build from development-test.  

Changing setenforce 0 or 1 makes no diference to the tmp file alerts. 

getencorce returns "Permissive"

Comment 8 Dominick Grift 2011-06-13 08:13:54 UTC
There may have been an old fail2ban tmp file still in /tmp? Did you restart the fail2ban service?

Comment 9 Erik Squires 2011-06-13 14:29:12 UTC
Dom:

I have checked this multiple times. 

/tmp is clean.  The error occurs 100% of the time when starting fail2ban, even in permissive mode. Sorry.

Comment 10 Erik Squires 2011-06-13 14:31:19 UTC
Thought you would also like to see this:

# rpm -qa | grep selinux
libselinux-2.0.99-4.fc15.x86_64
selinux-policy-targeted-3.9.16-29.fc15.noarch
libselinux-python-2.0.99-4.fc15.x86_64
selinux-policy-3.9.16-29.fc15.noarch
libselinux-utils-2.0.99-4.fc15.x86_64

Comment 11 Dominick Grift 2011-06-13 15:58:44 UTC
Ok its just that i seem to be having a rendezvous here:

https://bugzilla.redhat.com/show_bug.cgi?id=706577

Comment 12 Erik Squires 2011-06-13 16:08:26 UTC
Deja vu ? :)  

Seems similar.  Two other things.  I seem to remember that this issue disapears if backend=gamin is set insetad of auto.  I'll have to double check this when I get home.  The second issue is that I have another bug that fail2ban doesn't ban everyone.  It seems to sometimes skip users who should have been banned, even when fail2ban-regex will "see" those entries.

Comment 13 Dominick Grift 2011-06-13 16:41:34 UTC
Right, deja vu

Would it be possible for you to stop by #fedora-selinux on irc.freenode.org irc network some time so that we can go over this together once more? My nickname there is dgrift or domg472 you can ping me any time and if i am awake at all i will respond.

Comment 14 Dominick Grift 2011-06-13 21:06:11 UTC
I took a quick look at its no longer tmp_t (now its fail2ban_tmp_t as expected):

avc:  denied  { read write } for  pid=5926 comm="iptables" path=2F746D702F666669717A72633269202864656C6574656429 dev=dm-1 ino=8608 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:fail2ban_tmp_t:s0 tclass=file

Question would now be either this is a fail2ban leak or whether we need to allow this.

We also need to put that libs_exec_ldconfig(fail2ban_t) into Fedora 15.

Comment 15 Miroslav Grepl 2011-06-14 05:34:15 UTC
I believe these are leaks which I will dontaudit.

Comment 16 Miroslav Grepl 2011-06-14 07:47:19 UTC
Fixed in selinux-policy-3.9.16-30.fc15

Comment 17 Fedora Update System 2011-06-14 10:17:46 UTC
selinux-policy-3.9.16-30.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15

Comment 18 Fedora Update System 2011-06-21 17:30:09 UTC
Package selinux-policy-3.9.16-30.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2011-06-24 03:52:02 UTC
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.