1184260 – netutils_t policy prevents tcpdump from calling chown/setattr

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1184260 - netutils_t policy prevents tcpdump from calling chown/setattr

Summary: netutils_t policy prevents tcpdump from calling chown/setattr

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-20 21:41 UTC by James Ralston
Modified:	2015-03-05 10:48 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-18.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1298514 (view as bug list)
Environment:
Last Closed:	2015-03-05 10:48:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description James Ralston 2015-01-20 21:41:54 UTC

(I'm filing this against RHEL7, but I suspect the issue applies to other releases of RHEL/Fedora.)

Description of problem:

If tcpdump is called with the -Z and -w options, unless the argument to the -Z option is "root", tcpdump will attempt to chown the capture file specified by the -w option to the user specified with the -Z option. (It takes this action even if the file is already owned by the user specified with -Z.)

However, even if the capture file has the netutils_tmp_t file context, SELinux denies tcpdump (that is, the netutils_t type) the ability to chown the capture file. This causes tcpdump to immediately fail and exit.

Similarly, tcpdump will call setattr() on a pre-existing capture file if the mode of the capture file isn't already what tcpdump expects. The call to setattr() also is denied by SELinux.

(Most people won't see these issues, because most people run tcpdump from interactive sessions that are in unconfined_t. But we are attempting to run tcpdump in an automated fashion via systemd, which is how we encountered the problem.)

Version-Release number of selected component (if applicable):

0:selinux-policy-targeted-3.12.1-153.el7_0.13.noarch

How reproducible:

Call tcpdump with "-Z tcpdump -w capturefile". (If your login is in the unconfined context, you will need to use runcon to ensure tcpdump runs in netutils_t.)

Steps to Reproduce:

$ cd /tmp
$ id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ rm -f capturefile
$ runcon -t netutils_t tcpdump -i lo -Z tcpdump -w capturefile
tcpdump: Couldn't change ownership of savefile
$ rm capturefile
$ runcon -t netutils_t tcpdump -i lo -Z root -w foo
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
$ ausearch -m avc -ts today | tail -3
time->Tue Jan 20 16:29:23 2015
type=SYSCALL msg=audit(1421789363.087:1155): arch=c000003e syscall=92 success=no exit=-1 a0=b93db0 a1=48 a2=48 a3=7fff9de092f0 items=0 ppid=24402 pid=24509 auid=20576 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=89 comm="tcpdump" exe="/usr/sbin/tcpdump" subj=unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1421789363.087:1155): avc:  denied  { chown } for  pid=24509 comm="tcpdump" capability=0  scontext=unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 tclass=capability

Additional info:

As long as tcpdump will call chown/setattr, the netutils_t type should be permitted to call (chown, setattr) on files in the (initrc_tmp_t, mnt_t, netutils_tmp_t, tmp_t) context.

Comment 2 Milos Malik 2015-01-21 07:08:12 UTC

# cd /tmp
# rm -f capturefile
# runcon -t netutils_t tcpdump -i eth0 -Z tcpdump -w capturefile
tcpdump: Couldn't change ownership of savefile
# ls -Z ./capturefile 
-rw-r--r--. root root unconfined_u:object_r:netutils_tmp_t:s0 ./capturefile
# 

----
type=PATH msg=audit(01/21/2015 08:03:51.694:118) : item=0 name=capturefile inode=51759716 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:netutils_tmp_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2015 08:03:51.694:118) :  cwd=/tmp 
type=SYSCALL msg=audit(01/21/2015 08:03:51.694:118) : arch=x86_64 syscall=chown success=no exit=-1(Operation not permitted) a0=0x1228c80 a1=tcpdump a2=tcpdump a3=0x7fff89e3eb20 items=1 ppid=1849 pid=2239 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=tcpdump exe=/usr/sbin/tcpdump subj=unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/21/2015 08:03:51.694:118) : avc:  denied  { chown } for  pid=2239 comm=tcpdump capability=chown  scontext=unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 tclass=capability 
----

# rpm -qa selinux-policy\*
selinux-policy-3.13.1-16.el7.noarch
selinux-policy-targeted-3.13.1-16.el7.noarch
selinux-policy-doc-3.13.1-16.el7.noarch
selinux-policy-mls-3.13.1-16.el7.noarch
selinux-policy-minimum-3.13.1-16.el7.noarch
selinux-policy-devel-3.13.1-16.el7.noarch
#

Comment 6 errata-xmlrpc 2015-03-05 10:48:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.