1544189 – selinux is blocking the iptables script

Bug 1544189 - selinux is blocking the iptables script

Summary: selinux is blocking the iptables script

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-11 07:31 UTC by Robin Powell
Modified:	2018-05-29 05:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.29.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-27 20:14:16 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Powell 2018-02-11 07:31:24 UTC

This is on a system with unconfined disabled.

The iptables restart script does a bunch of weird things like module loading and unloading.  It's this one:

rlpowell@stodi> ls -lZ /usr/libexec/iptables/iptables.init
-rwxr-xr-x. 1 root root system_u:object_r:iptables_exec_t:s0 11047 Aug  3  2017 /usr/libexec/iptables/iptables.init*

and running

rlpowell@stodi> sudo service iptables restart

generates:

type=AVC msg=audit(1518334082.802:50546003): avc:  denied  { read write } for  pid=3852 comm="lsmod" path="socket:[320907725]" dev="sockfs" ino=320907725 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1518334082.817:50546007): avc:  denied  { module_load } for  pid=3859 comm="modprobe" scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=system permissive=1
type=AVC msg=audit(1518334085.140:50546019): avc:  denied  { read write } for  pid=3879 comm="sh" path="socket:[320908602]" dev="sockfs" ino=320908602 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_screen_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1518334085.142:50546020): avc:  denied  { ioctl } for  pid=3879 comm="sh" path="socket:[320908602]" dev="sockfs" ino=320908602 ioctlcmd=0x5401 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_screen_t:s0 tclass=unix_stream_socket permissive=1

I'm not sure what the screen_t stuff is about, although I do use tmux for everything, but it does all 4 of those even when I'm not running it under tmux.

The module_load part is the big one; because "sudo service iptables stop" unloads a bunch of relevant modules (which is *not* blocked, by the way) an iptables start or restart can't work because it doesn't have a bunch of the modules it needs.

Comment 1 Lukas Vrabec 2018-03-06 16:24:54 UTC

# audit2allow -i avc 


#============= insmod_t ==============

#!!!! This avc is allowed in the current policy
allow insmod_t init_t:unix_stream_socket { read write };

#!!!! This avc is allowed in the current policy
allow insmod_t self:system module_load;

#============= user_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow user_t user_screen_t:unix_stream_socket { ioctl read write };

# rpm -q selinux-policy 
selinux-policy-3.13.1-283.26.fc27.noarch

Please update to current version of selinux-policy rpm package. 

Lukas.

Comment 2 Robin Powell 2018-03-19 05:47:19 UTC

I'm not seeing it in the current release.  Perhaps it is relevant that I'm running with unconfined disabled?

rlpowell@vrici> echo '
type=AVC msg=audit(1521438345.053:8842223): avc:  denied  { module_load } for  pid=19455 comm="modprobe" scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=system permissive=1

' | audit2allow -R

require {
        type insmod_t;
        class system module_load;
}

#============= insmod_t ==============
allow insmod_t self:system module_load;
rlpowell@vrici> sudo dnf list installed '*selinux*'
[sudo] password for rlpowell:
Installed Packages
container-selinux.noarch                                                             2:2.55-1.fc27                                                            @updates-testing
libselinux.x86_64                                                                    2.7-3.fc27                                                               @updates
libselinux-devel.x86_64                                                              2.7-3.fc27                                                               @updates
libselinux-python.x86_64                                                             2.7-3.fc27                                                               @updates
libselinux-python3.x86_64                                                            2.7-3.fc27                                                               @updates
libselinux-ruby.x86_64                                                               2.7-3.fc27                                                               @updates
libselinux-utils.x86_64                                                              2.7-3.fc27                                                               @updates
rpm-plugin-selinux.x86_64                                                            4.14.1-1.fc27                                                            @updates
selinux-policy.noarch                                                                3.13.1-283.28.fc27                                                       @updates-testing
selinux-policy-devel.noarch                                                          3.13.1-283.28.fc27                                                       @updates-testing
selinux-policy-doc.noarch                                                            3.13.1-283.28.fc27                                                       @updates-testing
selinux-policy-targeted.noarch                                                       3.13.1-283.28.fc27                                                       @updates-testing

Comment 3 Fedora Update System 2018-03-25 13:14:01 UTC

selinux-policy-3.13.1-283.29.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ad9976b6a2

Comment 4 Fedora Update System 2018-03-25 22:42:09 UTC

selinux-policy-3.13.1-283.29.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ad9976b6a2

Comment 5 Fedora Update System 2018-03-27 20:14:16 UTC

selinux-policy-3.13.1-283.29.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Robin Powell 2018-05-29 05:21:46 UTC

With

rlpowell@stodi> rpm -q selinux-policy
selinux-policy-3.13.1-283.34.fc27.noarch

I'm still seeing:

type=AVC msg=audit(1527571260.489:72269492): avc:  denied  { read write } for  pid=1121 comm="lsmod" path="socket:[430924691]" dev="sockfs" ino=430924691 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0

, but the reload works, so if you think that's OK, then that's fine.  The other AVCs are gone.

Note You need to log in before you can comment on or make changes to this bug.