Bug 163569 - ping blocked by selinux
ping blocked by selinux
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-18 19:36 EDT by Gabriel Schulhof
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.25.3-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-19 03:47:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gabriel Schulhof 2005-07-18 19:36:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
Ping doesn't output anything to the terminal (for either root or a regular user) because of this:
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=SYSCALL msg=audit(1121729279.793:14880232): arch=40000003 syscall=11 success=yes exit=0 a0=817def0 a1=818f828 a2=81749a8 a3=1 items=2 pid=23335 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=CWD msg=audit(1121729279.793:14880232):  cwd="/root"
type=PATH msg=audit(1121729279.793:14880232): item=0 name="/bin/ping" flags=101  inode=2779845 dev=03:01 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121729279.793:14880232): item=1 flags=101  inode=3337422 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00

Ping works fine when I run it from ttyS0 (serial nullmodem cable).

When I attempted to update selinux-policy-targeted, I got the following messages interspersed with the yum update output:

sepol_genbools_array:  unknown boolean user_ping
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument
# ls -lZ /bin/ping
-rwsr-xr-x  root     root     system_u:object_r:ping_exec_t    /bin/ping

ping works fine on all my other FC4 machines. 

Version-Release number of selected component (if applicable):
iputils-20020927-22

How reproducible:
Always

Steps to Reproduce:
1. Don't know, really ...
2. Log into the problematic machine via ssh.
2. Ping a host from the local subnet.
3. Watch it seemingly hang.
  

Actual Results:  ping didn't output anything, but audit.log had "denied" messages.

Expected Results:  Ping should work properly from both serial ttys as well as pseudo-ttys.

Additional info:

selinux-policy-targeted-1.25.2-4
Comment 1 Daniel Walsh 2005-07-19 23:33:26 EDT
Fixed in selinux-policy-targeted-1.25.3-1

Note You need to log in before you can comment on or make changes to this bug.