Bug 1026076 - SELinux prevents arpwatch from creating a netlink_socket
Summary: SELinux prevents arpwatch from creating a netlink_socket
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-03 12:46 UTC by Milos Malik
Modified: 2018-12-09 17:15 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-236.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 07:57:45 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description Milos Malik 2013-11-03 12:46:26 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
arpwatch-2.1a15-14.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-doc-3.7.19-231.el6.noarch
selinux-policy-minimum-3.7.19-231.el6.noarch
selinux-policy-mls-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.5 machine where targeted policy is active
2. service arpwatch start
3. search for AVCs

Actual results (enforcing mode):
----
type=SYSCALL msg=audit(11/03/2013 13:39:32.264:577) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=10 a1=3 a2=c a3=3f1b38fed0 items=0 ppid=7237 pid=7238 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=9 comm=arpwatch exe=/usr/sbin/arpwatch subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:39:32.264:577) : avc:  denied  { create } for  pid=7238 comm=arpwatch scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=unconfined_u:system_r:arpwatch_t:s0 tclass=netlink_socket 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-03 12:48:13 UTC 
Actual results (permissive mode);
----
type=SYSCALL msg=audit(11/03/2013 13:47:03.700:610) : arch=x86_64 syscall=socket success=yes exit=3 a0=10 a1=3 a2=c a3=3f1b38fed0 items=0 ppid=7384 pid=7385 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=9 comm=arpwatch exe=/usr/sbin/arpwatch subj=unconfined_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:47:03.700:610) : avc:  denied  { create } for  pid=7385 comm=arpwatch scontext=unconfined_u:system_r:arpwatch_t:s0 tcontext=unconfined_u:system_r:arpwatch_t:s0 tclass=netlink_socket 
----
Comment 2 Miroslav Grepl 2013-11-05 15:19:04 UTC 
We allow it in Fedora

#============= arpwatch_t ==============

#!!!! This avc is allowed in the current policy
allow arpwatch_t self:netlink_socket create;
Comment 5 errata-xmlrpc 2014-10-14 07:57:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Note You need to log in before you can comment on or make changes to this bug.