Bug 1594661 - [RHEL7.6] arping, ip, hostname, dhcp affected when selinux enabled
Summary: [RHEL7.6] arping, ip, hostname, dhcp affected when selinux enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-25 06:58 UTC by HuijingHei
Modified: 2018-10-30 10:06 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-205.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:05:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:06:45 UTC

Description HuijingHei 2018-06-25 06:58:35 UTC
Description of problem:
Can not get dhcp ip with selinux enabled

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-204.el7.noarch
selinux-policy-3.13.1-204.el7.noarch
kernel-3.10.0-915.el7.x86_64
(RHEL7.5 GA version with updated selinux rpms and kernel)

How reproducible:
100%

Steps to Reproduce:
1. Start os
2. Config the NIC with dhcp and restart nework service
3. # getenforce
Enforcing
4. # ip a

Actual results:
Can not get dhcp ip with selinux enabled

# systemctl status network
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
   Active: active (running) since Mon 2018-06-25 14:38:50 CST; 39s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 658 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/network.service
           └─915 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid eth0

Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 734:   838 Killed                  arping -D -q -c2 -I ${interface} ${new_ip_address}
Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 335:   850 Killed                  ip link set dev ${interface} up
Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 335:   851 Killed                  ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 293:   859 Killed                  ip -4 route replace default via ${router} dev ${interface} ${metric}
Jun 25 14:38:49 localhost.localdomain NET[860]: dhclient: failed to create default route: 10.73.199.254 dev eth0
Jun 25 14:38:50 localhost.localdomain NET[867]: /usr/sbin/dhclient-script : updated /etc/resolv.conf
Jun 25 14:38:50 localhost.localdomain dhclient[806]: bound to 10.73.199.194 -- renewal in 17350 seconds.
Jun 25 14:38:50 localhost.localdomain network[658]: done.
Jun 25 14:38:50 localhost.localdomain network[658]: [  OK  ]
Jun 25 14:38:50 localhost.localdomain systemd[1]: Started LSB: Bring up/down networking.


# ausearch -m avc
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.388:21): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.388:21): arch=c000003e syscall=59 success=no exit=-13 a0=ed16f0 a1=ed3fd0 a2=eca210 a3=7fff1de93da0 items=0 ppid=808 pid=809 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostname" exe="/usr/bin/hostname" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.388:21): avc:  denied  { map } for  pid=809 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=50390913 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.465:22): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.465:22): arch=c000003e syscall=59 success=no exit=-13 a0=f6ec40 a1=ea9e90 a2=f6b580 a3=7fff1de945e0 items=0 ppid=807 pid=821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.465:22): avc:  denied  { map } for  pid=821 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.533:23): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.533:23): arch=c000003e syscall=59 success=no exit=-13 a0=26ad8a0 a1=26b0180 a2=26a63a0 a3=7ffe825e6f60 items=0 ppid=823 pid=824 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostname" exe="/usr/bin/hostname" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.533:23): avc:  denied  { map } for  pid=824 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=50390913 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.731:24): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.731:24): arch=c000003e syscall=59 success=no exit=-13 a0=274ac80 a1=26a4800 a2=2747810 a3=7ffe825e78a0 items=0 ppid=822 pid=838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arping" exe="/usr/sbin/arping" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.731:24): avc:  denied  { map } for  pid=838 comm="arping" path="/usr/sbin/arping" dev="dm-0" ino=571362 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.784:25): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.784:25): arch=c000003e syscall=59 success=no exit=-13 a0=2686510 a1=2686590 a2=2747810 a3=7ffe825e6ce0 items=0 ppid=839 pid=840 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arping" exe="/usr/sbin/arping" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.784:25): avc:  denied  { map } for  pid=840 comm="arping" path="/usr/sbin/arping" dev="dm-0" ino=571362 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.792:26): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.792:26): arch=c000003e syscall=59 success=no exit=-13 a0=274c1e0 a1=274bc90 a2=2747810 a3=7ffe825e6ce0 items=0 ppid=845 pid=846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.792:26): avc:  denied  { map } for  pid=846 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.920:27): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.920:27): arch=c000003e syscall=59 success=no exit=-13 a0=274a6c0 a1=2685630 a2=2747810 a3=7ffe825e6760 items=0 ppid=822 pid=850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.920:27): avc:  denied  { map } for  pid=850 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.923:28): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.923:28): arch=c000003e syscall=59 success=no exit=-13 a0=275ff40 a1=274a800 a2=2747810 a3=7ffe825e68a0 items=0 ppid=822 pid=851 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.923:28): avc:  denied  { map } for  pid=851 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.943:29): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.943:29): arch=c000003e syscall=59 success=no exit=-13 a0=2762310 a1=26a2fb0 a2=2747810 a3=7ffe825e56a0 items=0 ppid=822 pid=859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.943:29): avc:  denied  { map } for  pid=859 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:50 2018
type=PROCTITLE msg=audit(1529908730.028:30): proctitle="(null)"
type=SYSCALL msg=audit(1529908730.028:30): arch=c000003e syscall=59 success=no exit=-13 a0=276b730 a1=2769b40 a2=2747810 a3=7ffe825e55a0 items=0 ppid=869 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostname" exe="/usr/bin/hostname" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908730.028:30): avc:  denied  { map } for  pid=870 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=50390913 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0

Expected results:
Can get dhcp ip with selinux enabled

Additional info:
1) Tried with kernel-3.10.0-862.8.1.el7, RHEL7.5 GA version, does not have this issue
2) It was tested on hyper-v guest, and had the same issue on ESXi guest, so perhaps this is a general bug

Comment 3 HuijingHei 2018-06-26 09:26:56 UTC
Additional info:
Boot OS with enable network service and disable NetworkManager service can reproduce this issue, if enable the both, does not have this issue.

Comment 5 HuijingHei 2018-06-28 02:24:13 UTC
I have tested with selinux-policy-3.13.1-206.el7, and can get dhcp ip successfully with network service.

Comment 8 errata-xmlrpc 2018-10-30 10:05:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.