Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): iputils-20121221-4.el7.x86_64 iputils-ninfod-20121221-4.el7.x86_64 selinux-policy-3.12.1-103.el7.noarch selinux-policy-devel-3.12.1-103.el7.noarch selinux-policy-doc-3.12.1-103.el7.noarch selinux-policy-minimum-3.12.1-103.el7.noarch selinux-policy-mls-3.12.1-103.el7.noarch selinux-policy-targeted-3.12.1-103.el7.noarch How reproducible: always Steps to Reproduce: 1. get a RHEL-7.0 machine with targeted policy 2. add following line to the default /etc/watchdog.conf file ping = 127.0.0.1 3. restart watchdog service 4. search for AVCs Actual results (enforcing mode): ---- time->Thu Nov 21 14:44:44 2013 type=SYSCALL msg=audit(1385041484.560:777): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=1 a3=7fff5daff830 items=0 ppid=1 pid=29083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(1385041484.560:777): avc: denied { create } for pid=29083 comm="watchdog" scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket ---- Expected results: * watchdog is able to ping other machines * no AVCs
Milos, is there a helper script for this?
Maintainer for watchdog in RHEL 7 is now Ales Ledvinka (aledvink).
... but it's my understanding from a brief look at the source that the daemon itself is opening the raw socket.
Actual results (permissive mode): ---- time->Thu Nov 21 15:02:45 2013 type=SYSCALL msg=audit(1385042565.347:882): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=3 a2=1 a3=7fff34c38ab0 items=0 ppid=1 pid=3133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(1385042565.347:882): avc: denied { net_raw } for pid=3133 comm="watchdog" capability=13 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=capability type=AVC msg=audit(1385042565.347:882): avc: denied { create } for pid=3133 comm="watchdog" scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket ---- time->Thu Nov 21 15:02:45 2013 type=SYSCALL msg=audit(1385042565.354:883): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=6 a3=7fff34c38e58 items=0 ppid=1 pid=3133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(1385042565.354:883): avc: denied { setopt } for pid=3133 comm="watchdog" lport=1 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket ---- time->Thu Nov 21 15:02:54 2013 type=SYSCALL msg=audit(1385042574.413:886): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=3 a2=1 a3=7fff4f8c1f00 items=0 ppid=1 pid=3665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchdog" exe="/usr/sbin/watchdog" subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(1385042574.413:886): avc: denied { create } for pid=3665 comm="watchdog" scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:system_r:watchdog_t:s0 tclass=rawip_socket ----
(In reply to Richard W.M. Jones from comment #3) > ... but it's my understanding from a brief look at the source > that the daemon itself is opening the raw socket. Yes, you are right. I also see it. Thank you. commit 2c818a4154c7f89c230b5dfcf354213fbeea92c7 Author: Miroslav Grepl <mgrepl> Date: Mon Nov 25 14:09:03 2013 +0100 Watchdog opens the raw socket
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.