Bug 1574383
| Summary: | map AVCs for dhclient after selinux-policy update | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Pelka <tpelka> | ||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 7.6 | CC: | jstodola, lvrabec, mgrepl, mmalik, plautrba, ssekidde, tizhao | ||||||
| Target Milestone: | pre-dev-freeze | Keywords: | TestBlocker | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.13.1-197.el7 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 1574389 1574392 1574394 (view as bug list) | Environment: | |||||||
| Last Closed: | 2018-10-30 10:03:50 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1568427, 1574389, 1574392, 1574394 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1430552 [details]
map AVCs
Seems this is no happening only for dhclient, here is the full list of map related AVC's
It seems that still not work. I tried with selinux-policy 204.el7, and it did not config the interface with ipv4 address.
seems the problem is related to
"
/usr/sbin/dhclient-script: line 734: 11610 Killed ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 734: 11630 Killed arping -D -q -c2 -I ${interface} ${new_ip_address}
/usr/sbin/dhclient-script: line 335: 11642 Killed ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 335: 11643 Killed ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
"
[root@hp-dl385g7-02 ~]# uname -r
3.10.0-915.el7.x86_64
[root@hp-dl385g7-02 ~]# rpm -qi selinux-policy
Name : selinux-policy
Version : 3.13.1
Release : 204.el7
Architecture: noarch
Install Date: Tue 03 Jul 2018 03:12:25 AM EDT
Group : System Environment/Base
Size : 6478
License : GPLv2+
Signature : RSA/SHA256, Thu 14 Jun 2018 02:58:39 PM EDT, Key ID 199e2f91fd431d51
Source RPM : selinux-policy-3.13.1-204.el7.src.rpm
Build Date : Thu 14 Jun 2018 12:52:43 PM EDT
Build Host : arm64-011.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
[root@hp-dl385g7-02 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:b3:cc:e1:ba:ba brd ff:ff:ff:ff:ff:ff
inet 10.73.130.61/23 brd 10.73.131.255 scope global noprefixroute dynamic enp4s0f0
valid_lft 42606sec preferred_lft 42606sec
inet6 2620:52:0:4982:a2b3:ccff:fee1:baba/64 scope global noprefixroute dynamic
valid_lft 2591999sec preferred_lft 604799sec
inet6 fe80::a2b3:ccff:fee1:baba/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp4s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether a0:b3:cc:e1:ba:bc brd ff:ff:ff:ff:ff:ff
4: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:b3:cc:e1:ba:be brd ff:ff:ff:ff:ff:ff
5: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:b3:cc:e1:ba:c0 brd ff:ff:ff:ff:ff:ff
6: ens1f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 00:10:18:ab:b3:90 brd ff:ff:ff:ff:ff:ff
7: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:15:17:19:62:a5 brd ff:ff:ff:ff:ff:ff
8: ens1f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 00:10:18:ab:b3:91 brd ff:ff:ff:ff:ff:ff
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
10: ens1f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:10:18:ab:b3:93 brd ff:ff:ff:ff:ff:ff
[root@hp-dl385g7-02 ~]# ethtool -i ens1f2
driver: tg3
version: 3.137
firmware-version: 5719-v1.20
expansion-rom-version:
bus-info: 0000:06:00.2
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
[root@hp-dl385g7-02 ~]# dhclient -v ens1f2
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
/usr/sbin/dhclient-script: line 734: 11610 Killed ip link set dev ${interface} up
Listening on LPF/ens1f2/00:10:18:ab:b3:92
Sending on LPF/ens1f2/00:10:18:ab:b3:92
Sending on Socket/fallback
DHCPDISCOVER on ens1f2 to 255.255.255.255 port 67 interval 4 (xid=0x51a03a41)
DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x51a03a41)
DHCPOFFER from 192.168.1.253
DHCPACK from 192.168.1.253 (xid=0x51a03a41)
/usr/sbin/dhclient-script: line 734: 11630 Killed arping -D -q -c2 -I ${interface} ${new_ip_address}
/usr/sbin/dhclient-script: line 335: 11642 Killed ip link set dev ${interface} up
/usr/sbin/dhclient-script: line 335: 11643 Killed ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
bound to 192.168.1.150 -- renewal in 33403 seconds.
[root@hp-dl385g7-02 ~]# ip addr show ens1f2
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
[root@hp-dl385g7-02 ~]# getenforce
Enforcing
[root@hp-dl385g7-02 ~]# setenforce 0
[root@hp-dl385g7-02 ~]# pkill dhclient
[root@hp-dl385g7-02 ~]# dhclient -v ens1f2
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/ens1f2/00:10:18:ab:b3:92
Sending on LPF/ens1f2/00:10:18:ab:b3:92
Sending on Socket/fallback
DHCPREQUEST on ens1f2 to 255.255.255.255 port 67 (xid=0x56fbf202)
DHCPACK from 192.168.1.253 (xid=0x56fbf202)
bound to 192.168.1.150 -- renewal in 42810 seconds.
[root@hp-dl385g7-02 ~]# ip addr show ens1f2
9: ens1f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:10:18:ab:b3:92 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.150/24 brd 192.168.1.255 scope global dynamic ens1f2
valid_lft 86394sec preferred_lft 86394sec
[root@hp-dl385g7-02 ~]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=4.75 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.685 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=0.967 ms
64 bytes from 192.168.1.254: icmp_seq=5 ttl=255 time=0.829 ms
--- 192.168.1.254 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.685/1.808/4.751/1.702 ms
reference job link:
https://beaker.engineering.redhat.com/jobs/2588236
Please collect SELinux denials on your machine and attach them here: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Created attachment 1457626 [details]
selinux output of dhclient (includes all the steps)
Thank you, Tianhao. Following policy rules are needed: allow dhcpc_t hostname_exec_t:file map; allow dhcpc_t ifconfig_exec_t:file map; allow dhcpc_t netutils_exec_t:file map; Switching to ASSIGNED because the bug fix is not complete. # sesearch -A -s dhcpc_t -t hostname_exec_t -c file -p map
Found 1 semantic av rules:
allow dhcpc_t hostname_exec_t : file { read getattr map execute open } ;
# sesearch -A -s dhcpc_t -t ifconfig_exec_t -c file -p map
Found 1 semantic av rules:
allow dhcpc_t ifconfig_exec_t : file { read getattr map execute open } ;
# sesearch -A -s dhcpc_t -t netutils_exec_t -c file -p map
Found 1 semantic av rules:
allow dhcpc_t netutils_exec_t : file { read getattr map execute open } ;
# rpm -q selinux-policy
selinux-policy-3.13.1-207.el7.noarch
Looks fixed on my system.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Description of problem: Seems that new map permissions added in -193 denies dhclient nd end up with system without ipv4 address eventually. Version-Release number of selected component (if applicable): kernel-3.10.0-878.el7 selinux-policy-targeted-3.13.1-193.el7 selinux-policy-3.13.1-193.el7 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: May 03 08:12:25 placka kernel: type=1400 audit(1525327945.065:628): avc: denied { map } for pid=6163 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0 May 03 08:14:25 placka kernel: type=1400 audit(1525328065.811:651): avc: denied { map } for pid=6676 comm="dhclient" path="/usr/sbin/dhclient" dev="dm-4" ino=109060780 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_exec_t:s0 tclass=file permissive=0 Expected results: Additional info: Wokaround: either setenforce 0 or downgrading to selinux-policy-targeted-3.13.1-192.el7_5.3.noarch selinux-policy-3.13.1-192.el7_5.3