1770186 – restart of lldpd service triggers SELinux denials

Bug 1770186 - restart of lldpd service triggers SELinux denials

Summary: restart of lldpd service triggers SELinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Richard Fiľo
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-08 12:02 UTC by Richard Fiľo
Modified:	2019-12-11 02:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.4-43.fc31
Clone Of:
Environment:
Last Closed:	2019-12-11 02:05:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Richard Fiľo 2019-11-08 12:02:25 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-40.fc31.noarch
selinux-policy-targeted-3.14.4-40.fc31.noarch
lldpd-1.0.4-1.fc31.x86_64.rpm

How reproducible:
 * always

Steps to Reproduce:
1.get a Fedora 31 machine (targeted policy is active)
2.service lldpd start
3.restorecon -Rv /run
4.service lldpd restart
5.search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(11/08/2019 06:36:11.503:359) : proctitle=/usr/sbin/lldpd 
type=PATH msg=audit(11/08/2019 06:36:11.503:359) : item=1 name=/run/lldpd/lldpd.socket inode=32140 dev=00:19 mode=socket,770 ouid=lldpd ogid=lldpd rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/08/2019 06:36:11.503:359) : item=0 name=/run/lldpd/ inode=25788 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/08/2019 06:36:11.503:359) : cwd=/ 
type=SYSCALL msg=audit(11/08/2019 06:36:11.503:359) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x55fc6c233120 a1=0x55fc6b0648c6 a2=0x17 a3=0x0 items=2 ppid=1 pid=4222 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 06:36:11.503:359) : avc:  denied  { unlink } for  pid=4222 comm=lldpd name=lldpd.socket dev="tmpfs" ino=32140 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(11/08/2019 06:36:11.541:361) : proctitle=/usr/sbin/lldpd 
type=PATH msg=audit(11/08/2019 06:36:11.541:361) : item=0 name=/run/lldpd/lldpd.socket inode=32140 dev=00:19 mode=socket,770 ouid=lldpd ogid=lldpd rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/08/2019 06:36:11.541:361) : cwd=/ 
type=SOCKADDR msg=audit(11/08/2019 06:36:11.541:361) : saddr={ saddr_fam=local path=/run/lldpd/lldpd.socket } 
type=SYSCALL msg=audit(11/08/2019 06:36:11.541:361) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x7ffef1d6eca0 a2=0x6e a3=0x557b04e764a0 items=1 ppid=1 pid=4806 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 06:36:11.541:361) : avc:  denied  { write } for  pid=4806 comm=lldpd name=lldpd.socket dev="tmpfs" ino=32140 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(11/08/2019 06:36:11.717:365) : proctitle=/usr/sbin/lldpd 
type=PATH msg=audit(11/08/2019 06:36:11.717:365) : item=0 name=/run/lldpd/lldpd.socket inode=32140 dev=00:19 mode=socket,770 ouid=lldpd ogid=lldpd rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/08/2019 06:36:11.717:365) : cwd=/ 
type=SOCKADDR msg=audit(11/08/2019 06:36:11.717:365) : saddr={ saddr_fam=local path=/run/lldpd/lldpd.socket } 
type=SYSCALL msg=audit(11/08/2019 06:36:11.717:365) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x7ffe50b29a40 a2=0x6e a3=0x5653beb5b4a0 items=1 ppid=1 pid=4922 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 06:36:11.717:365) : avc:  denied  { write } for  pid=4922 comm=lldpd name=lldpd.socket dev="tmpfs" ino=32140 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(11/08/2019 06:36:11.990:369) : proctitle=/usr/sbin/lldpd 
type=PATH msg=audit(11/08/2019 06:36:11.990:369) : item=0 name=/run/lldpd/lldpd.socket inode=32140 dev=00:19 mode=socket,770 ouid=lldpd ogid=lldpd rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/08/2019 06:36:11.990:369) : cwd=/ 
type=SOCKADDR msg=audit(11/08/2019 06:36:11.990:369) : saddr={ saddr_fam=local path=/run/lldpd/lldpd.socket } 
type=SYSCALL msg=audit(11/08/2019 06:36:11.990:369) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x7fff0fcaf500 a2=0x6e a3=0x55e41c35e4a0 items=1 ppid=1 pid=4968 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 06:36:11.990:369) : avc:  denied  { write } for  pid=4968 comm=lldpd name=lldpd.socket dev="tmpfs" ino=32140 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(11/08/2019 06:36:12.219:373) : proctitle=/usr/sbin/lldpd 
type=PATH msg=audit(11/08/2019 06:36:12.219:373) : item=0 name=/run/lldpd/lldpd.socket inode=32140 dev=00:19 mode=socket,770 ouid=lldpd ogid=lldpd rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/08/2019 06:36:12.219:373) : cwd=/ 
type=SOCKADDR msg=audit(11/08/2019 06:36:12.219:373) : saddr={ saddr_fam=local path=/run/lldpd/lldpd.socket } 
type=SYSCALL msg=audit(11/08/2019 06:36:12.219:373) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x7ffe0a49a8c0 a2=0x6e a3=0x55e2b14674a0 items=1 ppid=1 pid=4971 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 06:36:12.219:373) : avc:  denied  { write } for  pid=4971 comm=lldpd name=lldpd.socket dev="tmpfs" ino=32140 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 

Expected results:
 * no SELinux denials

Comment 1 Richard Fiľo 2019-11-08 13:53:20 UTC

It will be fixed in SELinux policy package.

fix: https://github.com/fedora-selinux/selinux-policy-contrib/commit/6c7983afc2a1a6714aa2e3c70ef2969d462e69e1

Comment 2 Fedora Update System 2019-11-22 16:17:22 UTC

FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 3 Fedora Update System 2019-11-23 02:39:10 UTC

selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 4 Fedora Update System 2019-12-06 18:02:27 UTC

FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 5 Fedora Update System 2019-12-07 03:38:18 UTC

container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 6 Fedora Update System 2019-12-11 02:05:48 UTC

container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.