161070 – SELinux blocks changing MAC address

Bug 161070 - SELinux blocks changing MAC address

Summary: SELinux blocks changing MAC address

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-06-20 12:31 UTC by Dawid Gajownik
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-08-05 20:48:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dawid Gajownik 2005-06-20 12:31:54 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050217

Description of problem:
SELinux blocks changing MAC address. I set up new MAC address via MACADDR option in /etc/sysconfig/network-scripts/ifcfg-eth0 and reloaded network service. MAC addres did not changed.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
[root@X ~]# service network restart
Wy³±czanie interfejsu eth0:                                [  OK  ]
Zatrzymywanie interfejsu sieciowego loopback:              [  OK  ]
Podnoszenie interfejsu loopback:                           [  OK  ]
Podnoszenie interfejsu eth0:  socket(PF_PACKET): Permission denied
                                                           [  OK  ]

(which means "Shutting down interface eth0" and "Bringing up interface eth0"; unfortunately, "export LANG=C" does not work, so messages are written with system locale)
[root@X ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:40:F4:31:84:93
          inet addr:192.168.0.8  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8533 (8.3 KiB)  TX bytes:4207 (4.1 KiB)
          Interrupt:11 Base address:0xd000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:301 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10442 (10.1 KiB)  TX bytes:10442 (10.1 KiB)

(MAC address did not changed)
[root@X ~]# grep MAC /etc/sysconfig/network-scripts/ifcfg-eth0
MACADDR=00:40:F4:41:84:94

[root@X ~]# tail /var/log/audit/audit.log
type=USER msg=audit(1119269430.327:250807): user pid=2135 uid=0 auid=4294967295 msg='PAM bad_ident: user=? exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=? result=User not known to the underlying authentication module)'
type=USER msg=audit(1119269435.365:345814): user pid=2169 uid=0 auid=4294967295 msg='PAM authentication: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER msg=audit(1119269435.764:346017): user pid=2169 uid=0 auid=4294967295 msg='PAM accounting: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER msg=audit(1119269436.142:349590): user pid=2169 uid=0 auid=4294967295 msg='PAM session open: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER msg=audit(1119269493.985:667750): user pid=2478 uid=500 auid=4294967295 msg='PAM authentication: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)'
type=USER msg=audit(1119269494.291:668834): user pid=2478 uid=500 auid=4294967295 msg='PAM accounting: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)'
type=USER msg=audit(1119269494.708:673328): user pid=2478 uid=500 auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)'
type=SOCKETCALL msg=audit(1119269526.239:789064): nargs=3 a0=11 a1=2 a2=0
type=SYSCALL msg=audit(1119269526.239:789064): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf90aa50 a2=0 a3=bf90bf30 items=0 pid=2757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip"
type=AVC msg=audit(1119269526.239:789064): avc:  denied  { create } for  pid=2757 comm="ip" scontext=root:system_r:ifconfig_t tcontext=root:system_r:ifconfig_t tclass=packet_socket

(something was blocked)
[root@X ~]# setenforce 0
[root@X ~]# service network restart
Wy³±czanie interfejsu eth0:                                [  OK  ]
Zatrzymywanie interfejsu sieciowego loopback:              [  OK  ]
Podnoszenie interfejsu loopback:                           [  OK  ]
Podnoszenie interfejsu eth0:                               [  OK  ]
[root@X ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:40:F4:41:84:94
          inet addr:192.168.0.8  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:65 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9434 (9.2 KiB)  TX bytes:5239 (5.1 KiB)
          Interrupt:11 Base address:0xd000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:558 errors:0 dropped:0 overruns:0 frame:0
          TX packets:558 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:17654 (17.2 KiB)  TX bytes:17654 (17.2 KiB)

[root@X ~]#

In permissive mode MAC addres was changed.

Additional info:

What is funny, "ifdown eth0 && ifup eth0" works without a glitch in enforcing mode. It does not resolve the problem, because I have to trigger that command after each reboot :/

Comment 1 Daniel Walsh 2005-07-20 14:23:52 UTC

selinux-policy-targeted-1.25.2-1

Comment 2 Dawid Gajownik 2005-07-20 20:26:29 UTC

Should I downgrade to this version? I have selinux-policy-targeted-1.25.2-4
installed on my FC4 box and the problem is still visible.

Comment 3 Daniel Walsh 2005-07-21 00:07:49 UTC

What avc messages are you seeing now?

Comment 4 Dawid Gajownik 2005-07-21 08:26:17 UTC

type=AVC msg=audit(1121934344.535:11565021): avc:  denied  { net_raw } for 
pid=3604 comm="ip" capability=13 scontext=root:system_r:ifconfig_t
tcontext=root:system_r:ifconfig_t tclass=capability
type=SYSCALL msg=audit(1121934344.535:11565021): arch=40000003 syscall=102
success=no exit=-1 a0=1 a1=bfa77a90 a2=0 a3=bfa77f30 items=0 pid=3604
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ip" exe="/sbin/ip"
type=SOCKETCALL msg=audit(1121934344.535:11565021): nargs=3 a0=11 a1=2 a2=0

Comment 5 Daniel Walsh 2005-07-28 16:45:02 UTC

Fixed in selinux-policy-targetd-1.25.3-9

Comment 6 Dawid Gajownik 2005-08-05 20:48:12 UTC

I can confirm that :D

(Sorry that it took me so long but I was away on my holiday.)

Note You need to log in before you can comment on or make changes to this bug.