Hide Forgot
Description of problem: SELinux is preventing pmdalinux from using the 'net_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should have the net_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c pmdalinux --raw | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Unknown [ capability ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.14.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.4.7-300.fc23.x86_64 #1 SMP Wed Apr 13 02:52:52 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-04-20 10:13:40 IDT Last Seen 2016-04-20 10:13:40 IDT Local ID 21f90160-231c-4cdc-9cf7-f6f722cc49ab Raw Audit Messages type=AVC msg=audit(1461136420.701:942): avc: denied { net_admin } for pid=1404 comm="pmdalinux" capability=12 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1 Hash: pmdalinux,pcp_pmcd_t,pcp_pmcd_t,capability,net_admin Version-Release number of selected component: selinux-policy-3.13.1-158.14.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.8-300.fc23.x86_64 type: libreport
Do 'pmdalinux' any of these operations? CAP_NET_ADMIN Perform various network-related operations: * interface configuration; * administration of IP firewall, masquerading, and account‐ ing; * modify routing tables; * bind to any address for transparent proxying; * set type-of-service (TOS) * clear driver statistics; * set promiscuous mode; * enabling multicasting; * use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE. Thank you.
Lukas, no, pcp does not perform network administration duties. Please use NEEDINFO rather than bugzilla reassignment to ask questions.
Thank you. Closing as WONTFIX. If this happen again, please re-open this bug.
Hi Lukas, pmdalinux may issue these ioctls ... proc_net_dev.c: if (!(ioctl(fd, SIOCGIFMTU, &ifr) < 0)) proc_net_dev.c: if (!(ioctl(fd, SIOCGIFFLAGS, &ifr) < 0)) { proc_net_dev.c: if (!(ioctl(fd, SIOCETHTOOL, &ifr) < 0)) { proc_net_dev.c: } else if (!(ioctl(fd, SIOCGIWRATE, &iwreq) < 0)) { proc_net_dev.c: if (ioctl(fd, SIOCGIFADDR, &ifr) >= 0) { proc_net_dev.c: if (ioctl(fd, SIOCGIFCONF, &ifc) < 0) { ... it uses these as a fallback only, if the same information cannot be accessed via /sys/class/net/[IF]/* from the kernel. The only other privilege-requiring operation in pmdalinux is setns(2). cheers.