Bug 1740311 - ebtables lockfile created with wrong label from iproute
Summary: ebtables lockfile created with wrong label from iproute
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-12 15:41 UTC by Tomas Dolezal
Modified: 2019-08-16 14:43 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-13 16:45:42 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Tomas Dolezal 2019-08-12 15:41:25 UTC
Description of problem:
label of /var/run/ebtables.lock may be wrongly assigned if ebtables is run via 'ip' command.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-252.el7.noarch
firewalld-0.6.3-2.el7.noarch
ebtables-2.0.10-16.el7.x86_64
iproute-4.11.0-25.el7.x86_64

How reproducible:
always

Steps to Reproduce:
systemctl stop firewalld
rm /var/run/ebtables.lock
ip netns add selabel_test
ip netns exec selabel_test ebtables --concurrent -A FORWARD -j ACCEPT
ll -Z /var/run/ebtables.lock

systemctl restart firewalld

# ebtables is denied reading the created file.

restorecon -v /var/run/ebtables.lock

restorecon reset /run/ebtables.lock context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:iptables_var_run_t:s0


Actual results:
[root@ci-vm-10-0-136-216 ~]# ausearch -m avc -ts today
----
time->Mon Aug 12 11:29:20 2019
type=PROCTITLE msg=audit(1565623760.722:10351): proctitle=2F7573722F7362696E2F65627461626C6573002D2D636F6E63757272656E74002D4C
type=SYSCALL msg=audit(1565623760.722:10351): arch=c000003e syscall=2 success=no exit=-13 a0=7f5ee1282480 a1=40 a2=180 a3=7f5ede2f7440 items=0 ppid=30233 pid=30241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ebtables" exe="/usr/sbin/ebtables" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1565623760.722:10351): avc:  denied  { read } for  pid=30241 comm="ebtables" name="ebtables.lock" dev="tmpfs" ino=130219 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
[root@ci-vm-10-0-136-216 ~]# ausearch -m avc -ts today -r
type=AVC msg=audit(1565623760.722:10351): avc:  denied  { read } for  pid=30241 comm="ebtables" name="ebtables.lock" dev="tmpfs" ino=130219 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1565623760.722:10351): arch=c000003e syscall=2 success=no exit=-13 a0=7f5ee1282480 a1=40 a2=180 a3=7f5ede2f7440 items=0 ppid=30233 pid=30241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ebtables" exe="/usr/sbin/ebtables" subj=system_u:system_r:iptables_t:s0 key=(null)
type=PROCTITLE msg=audit(1565623760.722:10351): proctitle=2F7573722F7362696E2F65627461626C6573002D2D636F6E63757272656E74002D4C

[root@ci-vm-10-0-136-216 ~]# ausearch -m avc -ts today -r | audit2allow

#============= iptables_t ==============
allow iptables_t var_run_t:file read;

Expected results:
no denials
ebtables command is able to run concurrently

Additional info:

Comment 2 Zdenek Pytela 2019-08-13 16:45:42 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. The next minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 3 Tomas Dolezal 2019-08-14 13:58:29 UTC
Hello Lukas,
is there a selinux way to circumvent the issue? I am wondering whether it is possible and how a workaround could look like.

Thanks

Comment 4 Lukas Vrabec 2019-08-15 15:52:23 UTC
Hi Tomas, 

Adding workaround:


# yum install selinux-policy-devel -y

# cat unconfined_ebtables.te 
policy_module(unconfined_ebtables,1.0)

gen_require(`
    type iptables_var_run_t;
    attribute userdomain;
')

files_pid_filetrans(userdomain, iptables_var_run_t, file, "ebtables.lock")

# semodule -i unconfined_ebtables.pp

Thanks,
Lukas.

Comment 5 Tomas Dolezal 2019-08-16 14:43:19 UTC
Thanks for the snippet, Lukasi.

I confirmed that it works with selinux-policy-3.13.1-252.el7.noarch


Note You need to log in before you can comment on or make changes to this bug.