Bug 1524256 - arpwatch fails to start on fc27 due to selinux denials
Summary: arpwatch fails to start on fc27 due to selinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-11 05:21 UTC by Ian Donaldson
Modified: 2018-01-02 16:48 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-283.19.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-02 16:48:11 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ian Donaldson 2017-12-11 05:21:52 UTC
Description of problem:

arpwatch fails to start on fc27

Version-Release number of selected component (if applicable):

arpwatch-2.1a15-40.fc27.x86_64

How reproducible:

100%

Steps to Reproduce:
1. dnf install arpwatch; systemctl enable arwpatch; systemctl start arpwatch
2.
3.

Actual results:

Not running

Dec 11 05:03:14 HOST arpwatch[2542]: pcap_setfilter: can't remove kernel filter: Bad file descriptor
Dec 11 05:03:14 HOST systemd[1]: arpwatch.service: Main process exited, code=exited, status=1/FAILURE
Dec 11 05:03:14 HOST systemd[1]: arpwatch.service: Unit entered failed state.
Dec 11 05:03:14 HOST systemd[1]: arpwatch.service: Failed with result 'exit-code'.

# grep arpwatch /var/log/audit/audit.log  |grep denied
type=AVC msg=audit(1512968529.409:828): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="socket:[34040]" dev="sockfs" ino=34040 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=packet_socket permissive=0
type=AVC msg=audit(1512968529.428:829): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="socket:[34042]" dev="sockfs" ino=34042 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=packet_socket permissive=0
type=AVC msg=audit(1512968529.456:830): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="socket:[34044]" dev="sockfs" ino=34044 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=packet_socket permissive=0
type=AVC msg=audit(1512968529.477:831): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="socket:[34046]" dev="sockfs" ino=34046 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=packet_socket permissive=0
type=AVC msg=audit(1512968529.490:832): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="/dev/usbmon0" dev="devtmpfs" ino=12186 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1512968529.490:833): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="/dev/usbmon3" dev="devtmpfs" ino=1133 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1512968529.542:834): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="/dev/usbmon1" dev="devtmpfs" ino=1124 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1512968529.549:835): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="/dev/usbmon2" dev="devtmpfs" ino=1130 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1512968529.614:837): avc:  denied  { map } for  pid=2508 comm="arpwatch" path="socket:[34054]" dev="sockfs" ino=34054 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=packet_socket permissive=0


Expected results:

running

Additional info:

arpwatch had issues starting automatically on fc26 also but a 'systemctl start arpwatch' fixed it always;
not so on fc27.

selinux is stopping this clearly... these audit2allow generated
rules seem to make it go:

--
# grep arpwatch /var/log/audit/audit.log |grep denied |audit2allow -M arpwatch1
# cat arpwatch1.te

module arpwatch1 1.0;

require {
        type usbmon_device_t;
        type arpwatch_t;
        class packet_socket map;
        class chr_file map;
}

#============= arpwatch_t ==============
allow arpwatch_t self:packet_socket map;
allow arpwatch_t usbmon_device_t:chr_file map;

# semodule -i arpwatch1.pp
# systemctl start arpwatch
--

Comment 1 Jan Synacek 2017-12-11 07:13:45 UTC
Nothing changed in arpwatch.

Comment 2 Fedora Update System 2017-12-13 08:26:57 UTC
selinux-policy-3.13.1-283.18.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 3 Fedora Update System 2017-12-14 11:12:18 UTC
selinux-policy-3.13.1-283.18.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 4 Fedora Update System 2017-12-20 11:24:44 UTC
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 5 Fedora Update System 2017-12-21 20:21:22 UTC
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502

Comment 6 Fedora Update System 2018-01-02 16:48:11 UTC
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.