1574383 – map AVCs for dhclient after selinux-policy update

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1574383 - map AVCs for dhclient after selinux-policy update

Summary: map AVCs for dhclient after selinux-policy update

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	pre-dev-freeze
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1568427 1574389 1574392 1574394
TreeView+	depends on / blocked

Reported:	2018-05-03 07:42 UTC by Tomas Pelka
Modified:	2019-01-29 11:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-197.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1574389 1574392 1574394 (view as bug list)
Environment:
Last Closed:	2018-10-30 10:03:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
map AVCs (165.50 KB, text/plain) 2018-05-03 07:53 UTC, Tomas Pelka	no flags	Details
selinux output of dhclient (includes all the steps) (18.79 KB, text/plain) 2018-07-10 01:35 UTC, Tianhao	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:04:28 UTC

Description Tomas Pelka 2018-05-03 07:42:42 UTC

Description of problem:
Seems that new map permissions added in -193 denies dhclient nd end up with system without ipv4 address eventually.

Version-Release number of selected component (if applicable):
kernel-3.10.0-878.el7
selinux-policy-targeted-3.13.1-193.el7
selinux-policy-3.13.1-193.el7

How reproducible:
100%

Steps to Reproduce:
1. 
2.
3.

Actual results:
May 03 08:12:25 placka kernel: type=1400 audit(1525327945.065:628): avc:  denied  { map } for  pid=6163 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0

May 03 08:14:25 placka kernel: type=1400 audit(1525328065.811:651): avc:  denied  { map } for  pid=6676 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0


Expected results:


Additional info:
Wokaround:
either setenforce 0
or downgrading to selinux-policy-targeted-3.13.1-192.el7_5.3.noarch selinux-policy-3.13.1-192.el7_5.3

Comment 1 Tomas Pelka 2018-05-03 07:53:28 UTC

Created attachment 1430552 [details]
map AVCs

Seems this is no happening only for dhclient, here is the full list of map related AVC's

Comment 4 Tianhao 2018-07-03 07:46:40 UTC

It seems that still not work. I tried with selinux-policy 204.el7, and it did not config the interface with ipv4 address.
seems the problem is related to 
"
/usr/sbin/dhclient-script: line 734: 11610 Killed                  ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 734: 11630 Killed                  arping -D -q -c2 -I ${interface} ${new_ip_address}
/usr/sbin/dhclient-script: line 335: 11642 Killed                  ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 335: 11643 Killed                  ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
"

[root@hp-dl385g7-02 ~]# uname -r
3.10.0-915.el7.x86_64
[root@hp-dl385g7-02 ~]# rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.13.1
Release     : 204.el7
Architecture: noarch
Install Date: Tue 03 Jul 2018 03:12:25 AM EDT
Group       : System Environment/Base
Size        : 6478
License     : GPLv2+
Signature   : RSA/SHA256, Thu 14 Jun 2018 02:58:39 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : selinux-policy-3.13.1-204.el7.src.rpm
Build Date  : Thu 14 Jun 2018 12:52:43 PM EDT
Build Host  : arm64-011.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117
[root@hp-dl385g7-02 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:e1:ba:ba brd ff:ff:ff:ff:ff:ff
    inet 10.73.130.61/23 brd 10.73.131.255 scope global noprefixroute dynamic enp4s0f0
       valid_lft 42606sec preferred_lft 42606sec
    inet6 2620:52:0:4982:a2b3:ccff:fee1:baba/64 scope global noprefixroute dynamic 
       valid_lft 2591999sec preferred_lft 604799sec
    inet6 fe80::a2b3:ccff:fee1:baba/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp4s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:b3:cc:e1:ba:bc brd ff:ff:ff:ff:ff:ff
4: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:e1:ba:be brd ff:ff:ff:ff:ff:ff
5: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:b3:cc:e1:ba:c0 brd ff:ff:ff:ff:ff:ff
6: ens1f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:10:18:ab:b3:90 brd ff:ff:ff:ff:ff:ff
7: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:15:17:19:62:a5 brd ff:ff:ff:ff:ff:ff
8: ens1f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:10:18:ab:b3:91 brd ff:ff:ff:ff:ff:ff
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
10: ens1f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:93 brd ff:ff:ff:ff:ff:ff
[root@hp-dl385g7-02 ~]# ethtool -i ens1f2
driver: tg3
version: 3.137
firmware-version: 5719-v1.20
expansion-rom-version: 
bus-info: 0000:06:00.2
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
[root@hp-dl385g7-02 ~]# dhclient -v ens1f2
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

/usr/sbin/dhclient-script: line 734: 11610 Killed                  ip link set dev ${interface} up
Listening on LPF/ens1f2/00:10:18:ab:b3:92
Sending on   LPF/ens1f2/00:10:18:ab:b3:92
Sending on   Socket/fallback
DHCPDISCOVER on ens1f2 to 255.255.255.255 port 67 interval 4 (xid=0x51a03a41)
DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x51a03a41)
DHCPOFFER from 192.168.1.253
DHCPACK from 192.168.1.253 (xid=0x51a03a41)
/usr/sbin/dhclient-script: line 734: 11630 Killed                  arping -D -q -c2 -I ${interface} ${new_ip_address}
/usr/sbin/dhclient-script: line 335: 11642 Killed                  ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 335: 11643 Killed                  ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
bound to 192.168.1.150 -- renewal in 33403 seconds.
[root@hp-dl385g7-02 ~]# ip addr show ens1f2
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
[root@hp-dl385g7-02 ~]# getenforce 
Enforcing
[root@hp-dl385g7-02 ~]# setenforce 0
[root@hp-dl385g7-02 ~]# pkill dhclient 
[root@hp-dl385g7-02 ~]# dhclient -v ens1f2
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/ens1f2/00:10:18:ab:b3:92
Sending on   LPF/ens1f2/00:10:18:ab:b3:92
Sending on   Socket/fallback
DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x56fbf202)
DHCPACK from 192.168.1.253 (xid=0x56fbf202)
bound to 192.168.1.150 -- renewal in 42810 seconds.
[root@hp-dl385g7-02 ~]# ip addr show ens1f2
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.150/24 brd 192.168.1.255 scope global dynamic ens1f2
       valid_lft 86394sec preferred_lft 86394sec
[root@hp-dl385g7-02 ~]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=4.75 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.685 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=0.967 ms
64 bytes from 192.168.1.254: icmp_seq=5 ttl=255 time=0.829 ms
--- 192.168.1.254 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.685/1.808/4.751/1.702 ms

reference job link:
https://beaker.engineering.redhat.com/jobs/2588236

Comment 5 Milos Malik 2018-07-09 10:19:57 UTC

Please collect SELinux denials on your machine and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Comment 6 Tianhao 2018-07-10 01:35:14 UTC

Created attachment 1457626 [details]
selinux output of dhclient (includes all the steps)

Comment 7 Milos Malik 2018-07-10 06:53:05 UTC

Thank you, Tianhao.

Following policy rules are needed:

allow dhcpc_t hostname_exec_t:file map;
allow dhcpc_t ifconfig_exec_t:file map;
allow dhcpc_t netutils_exec_t:file map;

Switching to ASSIGNED because the bug fix is not complete.

Comment 8 Lukas Vrabec 2018-07-17 15:51:49 UTC

# sesearch -A -s dhcpc_t -t hostname_exec_t -c file -p map
Found 1 semantic av rules:
   allow dhcpc_t hostname_exec_t : file { read getattr map execute open } ; 

# sesearch -A -s dhcpc_t -t ifconfig_exec_t -c file -p map
Found 1 semantic av rules:
   allow dhcpc_t ifconfig_exec_t : file { read getattr map execute open } ; 

# sesearch -A -s dhcpc_t -t netutils_exec_t -c file -p map
Found 1 semantic av rules:
   allow dhcpc_t netutils_exec_t : file { read getattr map execute open } ; 

# rpm -q selinux-policy
selinux-policy-3.13.1-207.el7.noarch


Looks fixed on my system.

Comment 11 errata-xmlrpc 2018-10-30 10:03:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.