Bug 727648

Summary: shorewall denials
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: shorewallAssignee: Jonathan Underwood <jonathan.underwood>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, jonathan.underwood, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: shorewall-4.4.22.3-2.fc15.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-07 00:23:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
shorewall audit messages none

Description Orion Poplawski 2011-08-02 18:06:55 UTC 
Created attachment 516374 [details]
shorewall audit messages

Description of problem:

I'm seeing lots of denials for shorewall in /var/log/audit/audit.log


Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-35.fc15.noarch
shorewall-4.4.19.4-1.fc15.noarch
Comment 1 Daniel Walsh 2011-08-02 20:24:39 UTC 
Looks to me like this is a leak.

Shorewall should be fcntl(fd, F_SETFD, FD_CLOEXEC) before execing ip.
Comment 2 Orion Poplawski 2011-08-02 20:57:41 UTC 
Hmm, this could be interesting as it is written in perl.
Comment 3 Orion Poplawski 2011-08-02 21:11:12 UTC 
I also think that there are probably several issues here.  But let's start with:

type=AVC msg=audit(1309215107.365:5504): avc:  denied  { read } for pid=18691 comm="ip" path="/var/lib/shorewall/proxyarp" dev=dm-1 ino=386 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:shorewall_var_lib_t:s0 tclass=file

This probably comes from the following shell code:

qt()
{
    "$@" >/dev/null 2>&1                                 
}
        while read address interface external haveroute; do
            qt $IP -4 neigh del proxy $address dev $external
            [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
            f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
            [ -f $f ] && echo 0 > $f
        done < ${VARDIR}/proxyarp

I suppose there could be a qt() that closes stdin.  Dan, has this come up before with shell scripts?  Could this be an issue with bash?  Arguably the commands in the loop shouldn't have access to what the while loop is reading.
Comment 4 Orion Poplawski 2011-08-02 22:03:09 UTC 
# while read x 
> do
> lsof > /tmp/lsof
> done < /var/lib/shorewall/proxyarp 
# grep lsof /tmp/lsof
lsof      19042          root    0r      REG      253,1       144        247 /var/lib/shorewall/proxyarp

So every command in the while loop inherits the stdin.  I imagine that this is actually expected behavior, so I think we need to "< /dev/null" these commands.
Comment 5 Daniel Walsh 2011-08-03 15:28:56 UTC 
Yes it has come up before, and sadly we don't have a good fix...  Not something we really can fix in bash.

qt()
{
    "$@" >/dev/null 2>&1 < /dev/null                                
}

Would probably fix the problem.
Comment 6 Fedora Update System 2011-08-11 17:48:25 UTC 
shorewall-4.4.22-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/shorewall-4.4.22-2.fc15
Comment 7 Fedora Update System 2011-08-12 10:58:35 UTC 
Package shorewall-4.4.22-2.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shorewall-4.4.22-2.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/shorewall-4.4.22-2.fc15
then log in and leave karma (feedback).
Comment 8 Orion Poplawski 2011-08-12 14:56:00 UTC 
That actually appears to have taken care of most of the denials.  Now all I get is:

type=AVC msg=audit(1313160354.091:15710): avc:  denied  { search } for  pid=29551 comm="logger" name="sss" dev=dm-1 ino=574 scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

shorewall calls logger to indicate start/stop events.  Not sure what it is trying to do with /var/lib/sss though.
Comment 9 Daniel Walsh 2011-08-15 11:37:48 UTC 
Probably calling getpw* .
Comment 10 Daniel Walsh 2011-08-15 11:39:13 UTC 
Miroslav lets add

auth_use_nsswitch(shorewall_t)
Comment 11 Miroslav Grepl 2011-08-22 07:14:33 UTC 
Fixed in selinux-policy-3.9.16-39.fc15
Comment 12 Fedora Update System 2011-08-22 15:41:24 UTC 
shorewall-4.4.22.3-2.fc15.1 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/shorewall-4.4.22.3-2.fc15.1
Comment 13 Fedora Update System 2011-08-23 04:30:21 UTC 
Package shorewall-4.4.22.3-2.fc15.1:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shorewall-4.4.22.3-2.fc15.1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/shorewall-4.4.22.3-2.fc15.1
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2011-09-07 00:22:48 UTC 
shorewall-4.4.22.3-2.fc15.1 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.