Bug 1575369 - Conntrackd does not start up due to selinux policy
Summary: Conntrackd does not start up due to selinux policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-06 11:20 UTC by Florian Bezdeka
Modified: 2018-07-29 03:23 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.1-36.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-29 03:23:26 UTC
Type: Bug


Attachments (Terms of Use)
Conntrackd configuration (17.41 KB, text/plain)
2018-05-06 11:20 UTC, Florian Bezdeka
no flags Details
SELinux log with disabled dontaudit rules (1.56 KB, text/plain)
2018-05-06 11:21 UTC, Florian Bezdeka
no flags Details

Description Florian Bezdeka 2018-05-06 11:20:21 UTC
Created attachment 1432373 [details]
Conntrackd configuration

Description of problem:
I updated one of my systems from Fedora 27 to 28. Conntrackd refuses to start afterwards.

The following was taken from the conntrackd log:
[Sat May  5 11:36:24 2018] (pid=2859) [ERROR] can't open channel socket
[Sat May  5 11:36:24 2018] (pid=2859) [ERROR] initialization failed
[Sun May  6 12:31:19 2018] (pid=6528) [ERROR] can't open channel socket
[Sun May  6 12:31:19 2018] (pid=6528) [ERROR] initialization failed
[Sun May  6 12:38:54 2018] (pid=6826) [ERROR] can't open channel socket
[Sun May  6 12:38:54 2018] (pid=6826) [ERROR] initialization failed
[Sun May  6 12:44:27 2018] (pid=6972) [ERROR] can't open channel socket
[Sun May  6 12:44:27 2018] (pid=6972) [ERROR] initialization failed
[Sun May  6 12:49:59 2018] (pid=7158) [ERROR] can't get kernel conntrack table


After some debugging I found out that this problem is related to SELinux.
After disabling SELinux ("setenforce 0") conntrackd was able to start.
The SELinux (or audit) log did not report any error (due to "dontaudit" rules)

After disabling dontaudit rules /var/log/audit/audit.log contained some errors.
(See attachment)


Version-Release number of selected component (if applicable):
Connection tracking userspace daemon v1.4.4. Licensed under GPLv2.
(C) 2006-2009 Pablo Neira Ayuso <pablo@netfilter.org>

How reproducible:
I attached the used configuration (and removed some IP addresses, see <removed> tags). I think conntrackd will start up even if the complete environment including a second machine is not present.

Steps to Reproduce:
1. Copy conntrackd configuration to /etc/conntrackd/conntrackd.conf
2. Try starting up conntrackd using "sudo service conntrackd start"

Actual results:
The start of conntrackd fails.

Expected results:
conntrackd starts up.

Additional info:
The following type enforcement fixes this issue. But I'm not sure if the permissions granted are too permissive.

module f28_conntrackdfix 1.0;

require {
        type init_t;
        type unconfined_service_t;
        type kernel_t;
        type conntrackd_t;
        class process { noatsecure siginh };
        class capability net_admin;
        class system module_request;
}

#============= conntrackd_t ==============

#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow conntrackd_t kernel_t:system module_request;

#!!!! This avc has a dontaudit rule in the current policy
allow conntrackd_t self:capability net_admin;

#============= init_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow init_t conntrackd_t:process noatsecure;

#!!!! This avc has a dontaudit rule in the current policy
allow init_t unconfined_service_t:process siginh;

Comment 1 Florian Bezdeka 2018-05-06 11:21:22 UTC
Created attachment 1432374 [details]
SELinux log with disabled dontaudit rules

Comment 2 Florian Bezdeka 2018-05-06 12:25:12 UTC
There was another issue when trying to start conntrackd using a clustermanager like pakemaker. 
conntrackd was not allowed to connect to a unix socket.

I have to update the currently used SELinux type enforcement:

module f28_conntrackdfix 1.0;

require {
        type kernel_t;
        type unconfined_service_t;
        type conntrackd_t;
        type init_t;
        class process { noatsecure siginh };
        class capability net_admin;
        class unix_stream_socket connectto;
        class system module_request;
}

#============= conntrackd_t ==============

#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow conntrackd_t kernel_t:system module_request;

#!!!! This avc has a dontaudit rule in the current policy
allow conntrackd_t self:capability net_admin;

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow conntrackd_t self:unix_stream_socket connectto;

#============= init_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow init_t conntrackd_t:process noatsecure;

#!!!! This avc has a dontaudit rule in the current policy
allow init_t unconfined_service_t:process siginh;

Comment 3 Florian Bezdeka 2018-05-24 15:35:00 UTC
Is conntrack-tools the right component for this bug report?
Should I change it to selinux-policy?

Comment 4 Lukas Vrabec 2018-05-25 10:24:55 UTC
Hi, 

Could you reproduce it and attach raw AVC msgs? 

THanks,
Lukas.

Comment 5 Florian Bezdeka 2018-05-25 13:48:38 UTC
Hi,

what is the exact difference between the provided attachment and raw AVC messages?

As mentioned above, I had to disable "dontaudit rules" to receive any SELinux messages in the audit log.

Regards,
Florian

Comment 6 Martin Jackson 2018-06-08 02:13:47 UTC
I saw the same thing.  The workaround above worked for me as well.

Comment 7 Fedora Update System 2018-07-25 22:29:18 UTC
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 8 Fedora Update System 2018-07-26 16:31:37 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 9 Fedora Update System 2018-07-29 03:23:26 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.