Bug 1287005 - SELinux is preventing /usr/sbin/xtables-multi from read, write access on the file 2F746D702F666669674F787A776C202864656C6574656429.
SELinux is preventing /usr/sbin/xtables-multi from read, write access on the ...
Status: CLOSED DUPLICATE of bug 1286964
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
rawhide
x86_64 Unspecified
high Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
abrt_hash:3a5a4fc5221d44c4866e8ac8867...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-01 05:47 EST by Vít Ondruch
Modified: 2016-01-08 13:25 EST (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-08 13:25:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vít Ondruch 2015-12-01 05:47:24 EST
Description of problem:
SELinux is preventing /usr/sbin/xtables-multi from read, write access on the file 2F746D702F666669674F787A776C202864656C6574656429.

*****  Plugin leaks (86.2 confidence) suggests   *****************************

If you want to ignore xtables-multi trying to read write access the 2F746D702F666669674F787A776C202864656C6574656429 file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/xtables-multi /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests   **************************

If you believe that xtables-multi should be allowed read write access on the 2F746D702F666669674F787A776C202864656C6574656429 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iptables /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:iptables_t:s0
Target Context                system_u:object_r:firewalld_tmpfs_t:s0
Target Objects                2F746D702F666669674F787A776C202864656C6574656429 [
                              file ]
Source                        iptables
Source Path                   /usr/sbin/xtables-multi
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           iptables-1.4.21-15.fc23.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-160.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.3.0-1.fc24.x86_64 #1 SMP Mon Nov
                              2 16:27:20 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-01 11:43:43 CET
Last Seen                     2015-12-01 11:43:43 CET
Local ID                      42093942-0b61-40b9-94b5-a09d32aba6b9

Raw Audit Messages
type=AVC msg=audit(1448966623.927:695): avc:  denied  { read write } for  pid=8544 comm="iptables" path=2F746D702F666669674F787A776C202864656C6574656429 dev="tmpfs" ino=27738 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:firewalld_tmpfs_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1448966623.927:695): arch=x86_64 syscall=execve success=yes exit=0 a0=7fb98dac7680 a1=557eeaaafd40 a2=557eeaa35fb0 a3=1 items=0 ppid=953 pid=8544 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iptables exe=/usr/sbin/xtables-multi subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: iptables,iptables_t,firewalld_tmpfs_t,file,read,write

Version-Release number of selected component:
selinux-policy-3.13.1-160.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.0-1.fc24.x86_64
type:           libreport

Potential duplicate: bug 902944
Comment 1 Vít Ondruch 2015-12-14 06:58:38 EST
This happened when I tried connect WiFi with two factor authentication
Comment 2 Vít Ondruch 2015-12-17 10:05:50 EST
And after reboot ...
Comment 3 Joseph D. Wagner 2016-01-01 16:05:59 EST
I did a file system relabel (touch /.autorelabel), and I still got this on an ethernet connection in a VM.
Comment 4 Daniel Walsh 2016-01-02 07:44:37 EST
This has nothing to do with labeling.  It is a leaked file descriptor from firewalld.

We should probably dontaudit it. I don't believe it breaks anything.
Comment 5 kakoskin 2016-01-04 08:45:40 EST
Description of problem:
Boot from Fedora-Live-Cinnamon-x86_64-rawhide-20160104.iso. SELinux denials appear first after boot and for almost any action on desktop.

Version-Release number of selected component:
selinux-policy-3.13.1-164.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.4.0-0.rc6.git1.1.fc24.x86_64
type:           libreport
Comment 6 Adam Williamson 2016-01-04 19:02:20 EST
Description of problem:
Happened on resume from suspend with current Rawhide, standard setup with GNOME and firewalld.


Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.4.0-0.rc6.git1.2.fc24.x86_64
type:           libreport
Comment 7 Thomas Woerner 2016-01-05 04:59:24 EST
The leak should not be from firewalld, because it is not creating any files in /tmp.
Comment 8 Vít Ondruch 2016-01-05 07:32:53 EST
So what is this "2F746D702F666669674F787A776C202864656C6574656429" file actually? Where is it (not) written? What calls the iptables aka xtables-multi?
Comment 9 Petr Lautrbach 2016-01-05 07:48:18 EST
(In reply to Vít Ondruch from comment #8)
> So what is this "2F746D702F666669674F787A776C202864656C6574656429" file
> actually?

$ python -c 'import binascii; print binascii.a2b_hex("2F746D702F666669674F787A776C202864656C6574656429")'
/tmp/ffigOxzwl (deleted)
Comment 10 Thomas Woerner 2016-01-05 09:05:13 EST
Vít: Mostly all ip*tables tools are links to xtables-multi. firewalld is using some of them.

Are you using the standard firewalld version in F-24 or some version from firewalld GIT?
Comment 11 Daniel Walsh 2016-01-05 09:17:28 EST
THis is the use of a shared memory segment, that the kernel is accidentaly checking on an access that it should not.
Comment 12 Vít Ondruch 2016-01-05 09:29:42 EST
(In reply to Thomas Woerner from comment #10)
> Vít: Mostly all ip*tables tools are links to xtables-multi. firewalld is
> using some of them.
> 
> Are you using the standard firewalld version in F-24 or some version from
> firewalld GIT?

Standard version, nothing special. I have never played with firewall settings as far as I remember.
Comment 13 Paul Moore 2016-01-05 14:22:37 EST
This may be another side effect of systemd not labeling /tmp correctly on Rawhide at present, see BZ #1286964.  While you are waiting for this to get fixed in Rawhide, you could try a workaround (see comment #9 in the other BZ).
Comment 14 Adam Williamson 2016-01-05 15:35:32 EST
yeah, I think I had the /tmp mislabelling when I hit this.
Comment 15 Thomas Woerner 2016-01-07 11:44:28 EST
This means it is a duplicate of BZ#1286964?
Comment 16 Paul Moore 2016-01-07 14:05:45 EST
I suspect so, but it would be nice if one of the problem reporters could verify by trying the workaround mentioned in comment #13 above.
Comment 17 Lukas Vrabec 2016-01-07 14:59:44 EST
(In reply to Paul Moore from comment #13)
> This may be another side effect of systemd not labeling /tmp correctly on
> Rawhide at present, see BZ #1286964.  While you are waiting for this to get
> fixed in Rawhide, you could try a workaround (see comment #9 in the other
> BZ).

Paul,
I'm incline to that idea, too.
Comment 18 Joseph D. Wagner 2016-01-08 12:49:47 EST
I changed the line in /usr/lib/tmpfiles.d/tmp.conf from:

q /tmp 1777 root root 10d

to:

v /tmp 1777 root root 10d

and the problem went away.


I'm still getting the bug #1276251, but I'm not sure it's related.
Comment 19 Paul Moore 2016-01-08 13:25:24 EST
BZ #1276251 should be unrelated, but it sounds like we can safely close this as a dup of BZ #1286964.

*** This bug has been marked as a duplicate of bug 1286964 ***

Note You need to log in before you can comment on or make changes to this bug.