Bug 1054468 - SELinux is preventing /usr/sbin/abrtd from using the 'net_admin' capabilities.
Summary: SELinux is preventing /usr/sbin/abrtd from using the 'net_admin' capabilities.
Keywords:
Status: CLOSED DUPLICATE of bug 1054337
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: abrt
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f2a89e4c688e22d5a0541d5c7eb...
Depends On: net_admin 1054444
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-16 21:48 UTC by edo
Modified: 2014-01-26 12:31 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-01-21 15:29:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description edo 2014-01-16 21:48:25 UTC 
Description of problem:
SELinux is preventing /usr/sbin/abrtd from using the 'net_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrtd should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrtd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        abrtd
Source Path                   /usr/sbin/abrtd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           abrt-2.1.11-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-117.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.12.7-300.fc20.x86_64 #1 SMP Fri
                              Jan 10 15:35:31 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-01-16 22:31:40 CET
Last Seen                     2014-01-16 22:31:40 CET
Local ID                      4c124957-961c-41c5-88d9-9fda8b1b191d

Raw Audit Messages
type=AVC msg=audit(1389907900.90:30): avc:  denied  { net_admin } for  pid=653 comm="abrtd" capability=12  scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1389907900.90:30): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=6 a1=1 a2=20 a3=7fff57da4ef0 items=0 ppid=1 pid=653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=abrtd exe=/usr/sbin/abrtd subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: abrtd,abrt_t,abrt_t,capability,net_admin

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.12.7-300.fc20.x86_64
type:           libreport

Potential duplicate: bug 1054444
Comment 1 Miroslav Grepl 2014-01-17 10:19:15 UTC 
       CAP_SYS_ADMIN
              * Perform  a  range  of  system  administration   operations
                including:  quotactl(2),  mount(2),  umount(2), swapon(2),
                swapoff(2), sethostname(2), and setdomainname(2);
              * perform  privileged  syslog(2)  operations  (since   Linux
                2.6.37,  CAP_SYSLOG  should  be used to permit such opera‐
                tions);
              * perform VM86_REQUEST_IRQ vm86(2) command;
              * perform IPC_SET and IPC_RMID operations on arbitrary  Sys‐
                tem V IPC objects;
              * perform   operations  on  trusted  and  security  Extended
                Attributes (see attr(5));
              * use lookup_dcookie(2);
              * use ioprio_set(2) to assign  IOPRIO_CLASS_RT  and  (before
                Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
              * forge UID when passing socket credentials;
              * exceed /proc/sys/fs/file-max, the system-wide limit on the
                number of open files, in  system  calls  that  open  files
                (e.g., accept(2), execve(2), open(2), pipe(2));
              * employ  CLONE_*  flags  that  create  new  namespaces with
                clone(2) and unshare(2);
              * call perf_event_open(2);
              * access privileged perf event information;
              * call setns(2);
              * call fanotify_init(2);
              * perform KEYCTL_CHOWN and KEYCTL_SETPERM  keyctl(2)  opera‐
                tions;
              * perform madvise(2) MADV_HWPOISON operation;
              * employ  the TIOCSTI ioctl(2) to insert characters into the
                input queue of a terminal other than the caller's control‐
                ling terminal.
              * employ the obsolete nfsservctl(2) system call;
              * employ the obsolete bdflush(2) system call;
              * perform  various  privileged  block-device ioctl(2) opera‐
                tions;
              * perform various  privileged  file-system  ioctl(2)  opera‐
                tions;
              * perform administrative operations on many device drivers.
Comment 2 Miroslav Grepl 2014-01-17 10:22:23 UTC 
I meant

       CAP_NET_ADMIN
              Perform various network-related operations:
              * interface configuration;
              * administration of IP firewall, masquerading, and  account‐
                ing;
              * modify routing tables;
              * bind to any address for transparent proxying;
              * set type-of-service (TOS)
              * clear driver statistics;
              * set promiscuous mode;
              * enabling multicasting;
              * use  setsockopt(2)  to  set  the following socket options:
                SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
                range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
Comment 3 edo 2014-01-20 07:15:08 UTC 
Description of problem:
Start Chrome browser + FF browser

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.12.8-300.fc20.x86_64
type:           libreport
Comment 4 Daniel Walsh 2014-01-21 15:29:52 UTC 

*** This bug has been marked as a duplicate of bug 1054337 ***
Note You need to log in before you can comment on or make changes to this bug.