Hide Forgot
Description of problem: Seems that new map permissions added in -193 denies dhclient nd end up with system without ipv4 address eventually. Version-Release number of selected component (if applicable): kernel-3.10.0-878.el7 selinux-policy-targeted-3.13.1-193.el7 selinux-policy-3.13.1-193.el7 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: May 03 08:12:25 placka kernel: type=1400 audit(1525327945.065:628): avc: denied { map } for pid=6163 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0 May 03 08:14:25 placka kernel: type=1400 audit(1525328065.811:651): avc: denied { map } for pid=6676 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0 Expected results: Additional info: Wokaround: either setenforce 0 or downgrading to selinux-policy-targeted-3.13.1-192.el7_5.3.noarch selinux-policy-3.13.1-192.el7_5.3
Created attachment 1430552 [details] map AVCs Seems this is no happening only for dhclient, here is the full list of map related AVC's
It seems that still not work. I tried with selinux-policy 204.el7, and it did not config the interface with ipv4 address. seems the problem is related to " /usr/sbin/dhclient-script: line 734: 11610 Killed ip link set dev ${interface} up /usr/sbin/dhclient-script: line 734: 11630 Killed arping -D -q -c2 -I ${interface} ${new_ip_address} /usr/sbin/dhclient-script: line 335: 11642 Killed ip link set dev ${interface} up /usr/sbin/dhclient-script: line 335: 11643 Killed ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1 " [root@hp-dl385g7-02 ~]# uname -r 3.10.0-915.el7.x86_64 [root@hp-dl385g7-02 ~]# rpm -qi selinux-policy Name : selinux-policy Version : 3.13.1 Release : 204.el7 Architecture: noarch Install Date: Tue 03 Jul 2018 03:12:25 AM EDT Group : System Environment/Base Size : 6478 License : GPLv2+ Signature : RSA/SHA256, Thu 14 Jun 2018 02:58:39 PM EDT, Key ID 199e2f91fd431d51 Source RPM : selinux-policy-3.13.1-204.el7.src.rpm Build Date : Thu 14 Jun 2018 12:52:43 PM EDT Build Host : arm64-011.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 [root@hp-dl385g7-02 ~]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:b3:cc:e1:ba:ba brd ff:ff:ff:ff:ff:ff inet 10.73.130.61/23 brd 10.73.131.255 scope global noprefixroute dynamic enp4s0f0 valid_lft 42606sec preferred_lft 42606sec inet6 2620:52:0:4982:a2b3:ccff:fee1:baba/64 scope global noprefixroute dynamic valid_lft 2591999sec preferred_lft 604799sec inet6 fe80::a2b3:ccff:fee1:baba/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: enp4s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether a0:b3:cc:e1:ba:bc brd ff:ff:ff:ff:ff:ff 4: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:b3:cc:e1:ba:be brd ff:ff:ff:ff:ff:ff 5: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a0:b3:cc:e1:ba:c0 brd ff:ff:ff:ff:ff:ff 6: ens1f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 00:10:18:ab:b3:90 brd ff:ff:ff:ff:ff:ff 7: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:15:17:19:62:a5 brd ff:ff:ff:ff:ff:ff 8: ens1f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 00:10:18:ab:b3:91 brd ff:ff:ff:ff:ff:ff 9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff 10: ens1f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:93 brd ff:ff:ff:ff:ff:ff [root@hp-dl385g7-02 ~]# ethtool -i ens1f2 driver: tg3 version: 3.137 firmware-version: 5719-v1.20 expansion-rom-version: bus-info: 0000:06:00.2 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: no [root@hp-dl385g7-02 ~]# dhclient -v ens1f2 Internet Systems Consortium DHCP Client 4.2.5 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /usr/sbin/dhclient-script: line 734: 11610 Killed ip link set dev ${interface} up Listening on LPF/ens1f2/00:10:18:ab:b3:92 Sending on LPF/ens1f2/00:10:18:ab:b3:92 Sending on Socket/fallback DHCPDISCOVER on ens1f2 to 255.255.255.255 port 67 interval 4 (xid=0x51a03a41) DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x51a03a41) DHCPOFFER from 192.168.1.253 DHCPACK from 192.168.1.253 (xid=0x51a03a41) /usr/sbin/dhclient-script: line 734: 11630 Killed arping -D -q -c2 -I ${interface} ${new_ip_address} /usr/sbin/dhclient-script: line 335: 11642 Killed ip link set dev ${interface} up /usr/sbin/dhclient-script: line 335: 11643 Killed ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1 bound to 192.168.1.150 -- renewal in 33403 seconds. [root@hp-dl385g7-02 ~]# ip addr show ens1f2 9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff [root@hp-dl385g7-02 ~]# getenforce Enforcing [root@hp-dl385g7-02 ~]# setenforce 0 [root@hp-dl385g7-02 ~]# pkill dhclient [root@hp-dl385g7-02 ~]# dhclient -v ens1f2 Internet Systems Consortium DHCP Client 4.2.5 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/ens1f2/00:10:18:ab:b3:92 Sending on LPF/ens1f2/00:10:18:ab:b3:92 Sending on Socket/fallback DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x56fbf202) DHCPACK from 192.168.1.253 (xid=0x56fbf202) bound to 192.168.1.150 -- renewal in 42810 seconds. [root@hp-dl385g7-02 ~]# ip addr show ens1f2 9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff inet 192.168.1.150/24 brd 192.168.1.255 scope global dynamic ens1f2 valid_lft 86394sec preferred_lft 86394sec [root@hp-dl385g7-02 ~]# ping 192.168.1.254 PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. 64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=4.75 ms 64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.685 ms 64 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=0.967 ms 64 bytes from 192.168.1.254: icmp_seq=5 ttl=255 time=0.829 ms --- 192.168.1.254 ping statistics --- 5 packets transmitted, 4 received, 20% packet loss, time 4003ms rtt min/avg/max/mdev = 0.685/1.808/4.751/1.702 ms reference job link: https://beaker.engineering.redhat.com/jobs/2588236
Please collect SELinux denials on your machine and attach them here: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Created attachment 1457626 [details] selinux output of dhclient (includes all the steps)
Thank you, Tianhao. Following policy rules are needed: allow dhcpc_t hostname_exec_t:file map; allow dhcpc_t ifconfig_exec_t:file map; allow dhcpc_t netutils_exec_t:file map; Switching to ASSIGNED because the bug fix is not complete.
# sesearch -A -s dhcpc_t -t hostname_exec_t -c file -p map Found 1 semantic av rules: allow dhcpc_t hostname_exec_t : file { read getattr map execute open } ; # sesearch -A -s dhcpc_t -t ifconfig_exec_t -c file -p map Found 1 semantic av rules: allow dhcpc_t ifconfig_exec_t : file { read getattr map execute open } ; # sesearch -A -s dhcpc_t -t netutils_exec_t -c file -p map Found 1 semantic av rules: allow dhcpc_t netutils_exec_t : file { read getattr map execute open } ; # rpm -q selinux-policy selinux-policy-3.13.1-207.el7.noarch Looks fixed on my system.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111