Bug 120586 - selinux policy support
selinux policy support
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: traceroute (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-11 09:56 EDT by Kaj J. Niemi
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-07-29 13:13:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kaj J. Niemi 2004-04-11 09:56:36 EDT
Description of problem:
Looks like traceroute needs a few things to work with selinux.

Version-Release number of selected component (if applicable):
traceroute-1.4a12-21.1

Actual results:
Apr 11 16:48:30 aurora syslogd 1.4.1: restart.
Apr 11 16:48:37 aurora kernel: audit(1081691317.301:0): avc:  denied 
{ create } for  pid=2576 exe=/bin/traceroute
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=rawip_socket
Apr 11 16:48:37 aurora kernel: audit(1081691317.302:0): avc:  denied 
{ net_raw } for  pid=2576 exe=/bin/traceroute capability=13
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
Apr 11 16:48:37 aurora kernel: audit(1081691317.302:0): avc:  denied 
{ setuid } for  pid=2576 exe=/bin/traceroute capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
Apr 11 16:48:37 aurora kernel: audit(1081691317.845:0): avc:  denied 
{ setopt } for  pid=2576 exe=/bin/traceroute lport=255
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=rawip_socket
Apr 11 16:48:37 aurora kernel: audit(1081691317.845:0): avc:  denied 
{ bind } for  pid=2576 exe=/bin/traceroute lport=255
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=rawip_socket
Apr 11 16:48:37 aurora kernel: audit(1081691317.845:0): avc:  denied 
{ node_bind } for  pid=2576 exe=/bin/traceroute saddr=212.226.212.52
src=32775 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:node_t tclass=rawip_socket
Apr 11 16:48:37 aurora kernel: audit(1081691317.845:0): avc:  denied 
{ write } for  pid=2576 exe=/bin/traceroute laddr=212.226.212.52
lport=255 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=rawip_socket
Apr 11 16:48:37 aurora kernel: audit(1081691317.846:0): avc:  denied 
{ read } for  pid=2576 exe=/bin/traceroute laddr=212.226.212.52
lport=1 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=rawip_socket

Additional info:
audit2allow suggests the following:

allow user_t node_t:rawip_socket { node_bind };
allow user_t user_t:capability { net_raw setuid };
allow user_t user_t:rawip_socket { bind create read setopt write };

Thanks.
Comment 1 Phil Knirsch 2004-04-13 09:43:22 EDT
Adding Daniel to it again.

Read ya, Phil
Comment 2 Daniel Walsh 2004-07-29 13:13:50 EDT
THis is fixed in latest policy

Note You need to log in before you can comment on or make changes to this bug.