Bug 1438937 - SELinux prevents iptables_t from reading files in /etc/modprobe.d directory
Summary: SELinux prevents iptables_t from reading files in /etc/modprobe.d directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1465031 1496453 1532656 1544921 1544922 1544923 (view as bug list)
Depends On:
Blocks: 1472751 1470965 1477413 1481207 1486871 1491963 1494907 1504647 1544922 1544923
TreeView+ depends on / blocked
 
Reported: 2017-04-04 19:41 UTC by Milos Malik
Modified: 2018-04-10 12:32 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.13.1-174.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 12:29:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 12:32:07 UTC

Description Milos Malik 2017-04-04 19:41:07 UTC
Description of problem:
SELinux denials appear when at least 1 file is present in /etc/modprobe.d directory, for example:
# rpm -qf /etc/modprobe.d/*
i2c-tools-3.1.0-10.el7.x86_64
nfs-utils-1.3.0-0.33.el7_3.x86_64
rdma-core-13-1.el7.x86_64
rdma-core-13-1.el7.x86_64
tuned-2.7.1-5.20170314git92d558b8.el7.noarch
#

Version-Release number of selected component (if applicable):
iptables-1.4.21-17.el7.x86_64
iptables-services-1.4.21-17.el7.x86_64
selinux-policy-3.13.1-136.el7.noarch
selinux-policy-targeted-3.13.1-136.el7.noarch

How reproducible:
* always

Steps to Reproduce:
1. get a RHEL-7.4 machine (targeted policy is active)
2. run following automated TC:
 * /CoreOS/selinux-policy/bugzillas/245599
3. search for SELinux denials

Actual results:
----
type=SYSCALL msg=audit(04/04/2017 15:31:57.623:381) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906ef3 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:31:57.623:381) : avc:  denied  { read } for  pid=17467 comm=grep name=i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/04/2017 15:31:57.623:382) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f10 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:31:57.623:382) : avc:  denied  { read } for  pid=17467 comm=grep name=lockd.conf dev="dm-1" ino=20099 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/04/2017 15:31:57.624:383) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f2b a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:31:57.624:383) : avc:  denied  { read } for  pid=17467 comm=grep name=mlx4.conf dev="dm-1" ino=4835 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/04/2017 15:31:57.624:384) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f45 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:31:57.624:384) : avc:  denied  { read } for  pid=17467 comm=grep name=truescale.conf dev="dm-1" ino=4836 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/04/2017 15:31:57.624:385) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7ffc0f906f64 a2=O_RDONLY a3=0x0 items=0 ppid=17459 pid=17467 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:31:57.624:385) : avc:  denied  { read } for  pid=17467 comm=grep name=tuned.conf dev="dm-1" ino=27039 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----

Expected results:
* no SELinux denials

Comment 1 Milos Malik 2017-04-04 19:44:49 UTC
Actual results (permissive mode):
----
type=SYSCALL msg=audit(04/04/2017 15:43:06.245:500) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffffffffffff9c a1=0x7ffc35dc1ef3 a2=O_RDONLY a3=0x0 items=0 ppid=24126 pid=24134 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:43:06.245:500) : avc:  denied  { open } for  pid=24134 comm=grep path=/etc/modprobe.d/i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
type=AVC msg=audit(04/04/2017 15:43:06.245:500) : avc:  denied  { read } for  pid=24134 comm=grep name=i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/04/2017 15:43:06.245:501) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffc35dc0110 a2=0x7ffc35dc0110 a3=0x0 items=0 ppid=24126 pid=24134 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:43:06.245:501) : avc:  denied  { getattr } for  pid=24134 comm=grep path=/etc/modprobe.d/i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/04/2017 15:43:06.245:502) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x3 a1=TCGETS a2=0x7ffc35dc0050 a3=0x0 items=0 ppid=24126 pid=24134 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(04/04/2017 15:43:06.245:502) : avc:  denied  { ioctl } for  pid=24134 comm=grep path=/etc/modprobe.d/i2c-dev.conf dev="dm-1" ino=4820 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file 
----

Comment 3 Lukas Vrabec 2017-04-11 07:35:31 UTC

*** This bug has been marked as a duplicate of bug 1436689 ***

Comment 4 Phil Sutter 2017-09-07 16:33:41 UTC
*** Bug 1465031 has been marked as a duplicate of this bug. ***

Comment 5 Phil Sutter 2017-09-07 16:35:23 UTC
A comment in Bug 1465031 (which is a duplicate to this one) mentioned the required policy change:

> I am also seeing this - on each reboot I get 6 selinux denials logged in my
> audit.log - one for each file in /etc/modprobe.d/*.conf. The code in
> question comes from line 212 in /usr/libexec/iptables/iptables.init where it
> is trying to determine if ipv6 has been disabled.
> 
> Files in /etc/modprobe.d/*.conf look correctly labeled to me and restorecon
> -RvF /etc/modprobe.d returns no output showing that it made no changes -
> thus answering the question about trying the relabel.
> 
> type=AVC msg=audit(1504094765.370:28): avc:  denied  { read } for  pid=661
> comm="grep" name="blacklist-iscsi.conf" dev="dm-0" ino=782889
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
> 
> Problem only happens when iptables.service is started by systemd as part of
> the boot. If you run systemctl restart iptables then nothing is logged.
> Running the AVCs through audit2allow generates:
> 
> require {
>         type iptables_t;
>         type modules_conf_t;
>         class file read;
> }
> 
> #============= iptables_t ==============
> allow iptables_t modules_conf_t:file read;

Comment 6 Lukas Vrabec 2017-09-29 07:45:28 UTC
*** Bug 1496453 has been marked as a duplicate of this bug. ***

Comment 7 Lon Hohberger 2017-09-29 15:42:14 UTC
Note that the effect here is opposite what one might think: the ip6tables rules are applied correctly, even if you trynot started - it is simply that you cannot disable them by aliasing something in /etc/modprobe.d.

Thus, it's an annoyance, but, it ultimately doesn't cause functional issues in the case where a user is utilizing ip6tables to start the firewall - only the negative case: disabling ipv6 in /etc/modprobe.d/* will fail since grep cannot read the files.

Comment 8 Lon Hohberger 2017-09-29 15:43:15 UTC
Whoa, typo:

Note that the effect here is opposite what one might think: the ip6tables rules are applied correctly - it is simply that you cannot disable them by aliasing something in /etc/modprobe.d.

Comment 11 Lukas Vrabec 2017-11-27 08:48:32 UTC
*** Bug 1516052 has been marked as a duplicate of this bug. ***

Comment 12 Lukas Vrabec 2018-02-14 12:40:55 UTC
*** Bug 1544921 has been marked as a duplicate of this bug. ***

Comment 13 Jaroslav Škarvada 2018-02-19 00:04:39 UTC
*** Bug 1544923 has been marked as a duplicate of this bug. ***

Comment 14 Lukas Vrabec 2018-02-19 09:36:32 UTC
*** Bug 1544922 has been marked as a duplicate of this bug. ***

Comment 16 Tomas Dolezal 2018-03-05 17:05:19 UTC
*** Bug 1532656 has been marked as a duplicate of this bug. ***

Comment 18 errata-xmlrpc 2018-04-10 12:29:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763


Note You need to log in before you can comment on or make changes to this bug.