163569 – ping blocked by selinux

Bug 163569 - ping blocked by selinux

Summary: ping blocked by selinux

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-18 23:36 UTC by Gabriel Schulhof
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:	1.25.3-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-19 07:47:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gabriel Schulhof 2005-07-18 23:36:30 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
Ping doesn't output anything to the terminal (for either root or a regular user) because of this:
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=SYSCALL msg=audit(1121729279.793:14880232): arch=40000003 syscall=11 success=yes exit=0 a0=817def0 a1=818f828 a2=81749a8 a3=1 items=2 pid=23335 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=CWD msg=audit(1121729279.793:14880232):  cwd="/root"
type=PATH msg=audit(1121729279.793:14880232): item=0 name="/bin/ping" flags=101  inode=2779845 dev=03:01 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121729279.793:14880232): item=1 flags=101  inode=3337422 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00

Ping works fine when I run it from ttyS0 (serial nullmodem cable).

When I attempted to update selinux-policy-targeted, I got the following messages interspersed with the yum update output:

sepol_genbools_array:  unknown boolean user_ping
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument
# ls -lZ /bin/ping
-rwsr-xr-x  root     root     system_u:object_r:ping_exec_t    /bin/ping

ping works fine on all my other FC4 machines. 

Version-Release number of selected component (if applicable):
iputils-20020927-22

How reproducible:
Always

Steps to Reproduce:
1. Don't know, really ...
2. Log into the problematic machine via ssh.
2. Ping a host from the local subnet.
3. Watch it seemingly hang.
  

Actual Results:  ping didn't output anything, but audit.log had "denied" messages.

Expected Results:  Ping should work properly from both serial ttys as well as pseudo-ttys.

Additional info:

selinux-policy-targeted-1.25.2-4

Comment 1 Daniel Walsh 2005-07-20 03:33:26 UTC

Fixed in selinux-policy-targeted-1.25.3-1

Note You need to log in before you can comment on or make changes to this bug.