Bug 727648
Summary: | shorewall denials | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> | ||||
Component: | shorewall | Assignee: | Jonathan Underwood <jonathan.underwood> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 15 | CC: | dominick.grift, dwalsh, jonathan.underwood, mgrepl | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | shorewall-4.4.22.3-2.fc15.1 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-09-07 00:23:02 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Looks to me like this is a leak. Shorewall should be fcntl(fd, F_SETFD, FD_CLOEXEC) before execing ip. Hmm, this could be interesting as it is written in perl. I also think that there are probably several issues here. But let's start with: type=AVC msg=audit(1309215107.365:5504): avc: denied { read } for pid=18691 comm="ip" path="/var/lib/shorewall/proxyarp" dev=dm-1 ino=386 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:shorewall_var_lib_t:s0 tclass=file This probably comes from the following shell code: qt() { "$@" >/dev/null 2>&1 } while read address interface external haveroute; do qt $IP -4 neigh del proxy $address dev $external [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp I suppose there could be a qt() that closes stdin. Dan, has this come up before with shell scripts? Could this be an issue with bash? Arguably the commands in the loop shouldn't have access to what the while loop is reading. # while read x
> do
> lsof > /tmp/lsof
> done < /var/lib/shorewall/proxyarp
# grep lsof /tmp/lsof
lsof 19042 root 0r REG 253,1 144 247 /var/lib/shorewall/proxyarp
So every command in the while loop inherits the stdin. I imagine that this is actually expected behavior, so I think we need to "< /dev/null" these commands.
Yes it has come up before, and sadly we don't have a good fix... Not something we really can fix in bash. qt() { "$@" >/dev/null 2>&1 < /dev/null } Would probably fix the problem. shorewall-4.4.22-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/shorewall-4.4.22-2.fc15 Package shorewall-4.4.22-2.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing shorewall-4.4.22-2.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/shorewall-4.4.22-2.fc15 then log in and leave karma (feedback). That actually appears to have taken care of most of the denials. Now all I get is: type=AVC msg=audit(1313160354.091:15710): avc: denied { search } for pid=29551 comm="logger" name="sss" dev=dm-1 ino=574 scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir shorewall calls logger to indicate start/stop events. Not sure what it is trying to do with /var/lib/sss though. Probably calling getpw* . Miroslav lets add auth_use_nsswitch(shorewall_t) Fixed in selinux-policy-3.9.16-39.fc15 shorewall-4.4.22.3-2.fc15.1 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/shorewall-4.4.22.3-2.fc15.1 Package shorewall-4.4.22.3-2.fc15.1: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing shorewall-4.4.22.3-2.fc15.1' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/shorewall-4.4.22.3-2.fc15.1 then log in and leave karma (feedback). shorewall-4.4.22.3-2.fc15.1 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 516374 [details] shorewall audit messages Description of problem: I'm seeing lots of denials for shorewall in /var/log/audit/audit.log Version-Release number of selected component (if applicable): selinux-policy-3.9.16-35.fc15.noarch shorewall-4.4.19.4-1.fc15.noarch