Bug 1298514 - netutils_t policy prevents tcpdump from calling chown/setattr
netutils_t policy prevents tcpdump from calling chown/setattr
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-14 05:09 EST by Milos Malik
Modified: 2016-05-10 16:04 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-288.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1184260
Environment:
Last Closed: 2016-05-10 16:04:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2016-01-14 05:09:46 EST
+++ This bug was initially created as a clone of Bug #1184260 +++

Description of problem:

If tcpdump is called with the -Z and -w options, unless the argument to the -Z option is "root", tcpdump will attempt to chown the capture file specified by the -w option to the user specified with the -Z option. (It takes this action even if the file is already owned by the user specified with -Z.)

However, even if the capture file has the netutils_tmp_t file context, SELinux denies tcpdump (that is, the netutils_t type) the ability to chown the capture file. This causes tcpdump to immediately fail and exit.

Similarly, tcpdump will call setattr() on a pre-existing capture file if the mode of the capture file isn't already what tcpdump expects. The call to setattr() also is denied by SELinux.

(Most people won't see these issues, because most people run tcpdump from interactive sessions that are in unconfined_t. But we are attempting to run tcpdump in an automated fashion via systemd, which is how we encountered the problem.)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-287.el6.noarch
selinux-policy-doc-3.7.19-287.el6.noarch
selinux-policy-minimum-3.7.19-287.el6.noarch
selinux-policy-mls-3.7.19-287.el6.noarch
selinux-policy-targeted-3.7.19-287.el6.noarch
tcpdump-4.0.0-9.20090921gitdf3cb4.2.el6.x86_64

How reproducible:
Call tcpdump with "-Z tcpdump -w capturefile". (If your login is in the unconfined context, you will need to use runcon to ensure tcpdump runs in netutils_t.)

Steps to Reproduce:
# cd /tmp
# rm -f ./capturefile
# runcon system_u:system_r:initrc_t:s0 /bin/bash -c "/usr/sbin/tcpdump -i lo -Z tcpdump -w ./capturefile"
tcpdump: Couldn't change ownership of savefile
# 

Actual results (enforcing mode):
----
type=PATH msg=audit(01/14/2016 10:57:05.059:287) : item=0 name=./capturefile inode=187869 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:netutils_tmp_t:s0 nametype=NORMAL 
type=CWD msg=audit(01/14/2016 10:57:05.059:287) :  cwd=/tmp 
type=SYSCALL msg=audit(01/14/2016 10:57:05.059:287) : arch=x86_64 syscall=chown success=no exit=-1(Operation not permitted) a0=0x1cf5a40 a1=tcpdump a2=tcpdump a3=0x7ffc6a439120 items=1 ppid=19664 pid=19668 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=tcpdump exe=/usr/sbin/tcpdump subj=system_u:system_r:netutils_t:s0 key=(null) 
type=AVC msg=audit(01/14/2016 10:57:05.059:287) : avc:  denied  { chown } for  pid=19668 comm=tcpdump capability=chown  scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability 
----

Expected results:
 * no SELinux denials
Comment 1 Milos Malik 2016-01-14 05:12:28 EST
Actual results (permissive mode):
----
type=PATH msg=audit(01/14/2016 11:11:22.771:305) : item=0 name=./capturefile inode=187869 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:netutils_tmp_t:s0 nametype=NORMAL 
type=CWD msg=audit(01/14/2016 11:11:22.771:305) :  cwd=/tmp 
type=SYSCALL msg=audit(01/14/2016 11:11:22.771:305) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x1a95a40 a1=tcpdump a2=tcpdump a3=0x7fff7f146660 items=1 ppid=5048 pid=23981 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=tcpdump exe=/usr/sbin/tcpdump subj=system_u:system_r:netutils_t:s0 key=(null) 
type=AVC msg=audit(01/14/2016 11:11:22.771:305) : avc:  denied  { chown } for  pid=23981 comm=tcpdump capability=chown  scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=capability 
----
Comment 5 errata-xmlrpc 2016-05-10 16:04:45 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html

Note You need to log in before you can comment on or make changes to this bug.