Bug 1153340 - systemd-networkd AVCs
Summary: systemd-networkd AVCs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-15 19:42 UTC by Ruben Kerkhof
Modified: 2015-05-12 14:56 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.13.1-87.fc22
Clone Of:
Environment:
Last Closed: 2015-05-12 14:56:23 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Ruben Kerkhof 2014-10-15 19:42:16 UTC 
Description of problem:

Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.042:24): avc:  denied  { read } for  pid=432 comm="systemd-network" name="passwd" dev="vda1" ino=400036 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.042:25): avc:  denied  { open } for  pid=432 comm="systemd-network" path="/etc/passwd" dev="vda1" ino=400036 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.042:26): avc:  denied  { getattr } for  pid=432 comm="systemd-network" path="/etc/passwd" dev="vda1" ino=400036 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.043:27): avc:  denied  { fowner } for  pid=432 comm="systemd-network" capability=3  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.043:28): avc:  denied  { chown } for  pid=432 comm="systemd-network" capability=0  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.043:29): avc:  denied  { setgid } for  pid=432 comm="systemd-network" capability=6  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.043:30): avc:  denied  { setuid } for  pid=432 comm="systemd-network" capability=7  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.043:31): avc:  denied  { setcap } for  pid=432 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=process permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.043:32): avc:  denied  { setpcap } for  pid=432 comm="systemd-network" capability=8  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
Oct 15 21:37:25 localhost kernel: audit: type=1400 audit(1413401845.050:33): avc:  denied  { create } for  pid=432 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=udp_socket permissive=1

Version-Release number of selected component (if applicable):

rpm -q systemd
systemd-216-11.fc22.x86_64

rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-86.fc22.noarch

uname -r
3.18.0-0.rc0.git8.1.fc22.x86_64

How reproducible:

let systemd-networkd play dhcp client:
cat /etc/systemd/network/zz-default.network 
[Match]
Name=e*

[Network]
DHCP=v4

[DHCP]
UseMTU=true

systemctl start systemd-networkd (or reboot)
Comment 1 Miroslav Grepl 2014-10-16 15:22:12 UTC 
commit 1a676bbbc337f494bacd6330307123141687faa8
Author: Miroslav Grepl <mgrepl>
Date:   Thu Oct 16 17:21:47 2014 +0200

    Allow systemd-networkd to be running as dhcp client.
Comment 2 Ruben Kerkhof 2014-12-10 20:21:50 UTC 
Thanks Miroslave,

I have a few more AVC's though:

Dec 10 21:06:26 localhost kernel: audit: type=1400 audit(1418241986.358:4): avc:  denied  { name_bind } for  pid=355 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
Dec 10 21:06:26 localhost kernel: audit: type=1400 audit(1418241986.358:5): avc:  denied  { node_bind } for  pid=355 comm="systemd-network" saddr=37.252.122.142 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
Dec 10 21:06:26 localhost kernel: audit: type=1400 audit(1418241986.358:6): avc:  denied  { net_bind_service } for  pid=355 comm="systemd-network" capability=10  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1

$ rpm -q selinux-policy
selinux-policy-3.13.1-99.fc22.noarch
Comment 3 Jaroslav Reznik 2015-03-03 17:04:23 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 4 DaveG 2015-04-08 13:27:29 UTC 
Fedora 21 has the same issue.

kernel-3.19.3-200.fc21.x86_64
selinux-policy-targeted-3.13.1-105.9.fc21.noarch
systemd-216-24.fc21.x86_64

grep systemd-network /var/log/audit/audit.log | audit2allow -M mypol
cat mypol.te

module mypol 1.0;

require {
	type node_t;
	type systemd_networkd_t;
	type dhcpc_port_t;
	class capability net_bind_service;
	class udp_socket { name_bind node_bind };
}

#============= systemd_networkd_t ==============
allow systemd_networkd_t dhcpc_port_t:udp_socket name_bind;
allow systemd_networkd_t node_t:udp_socket node_bind;
allow systemd_networkd_t self:capability net_bind_service;
Note You need to log in before you can comment on or make changes to this bug.