Description of problem: I used "ping -I" (capital i), but with the IP address instead of a interface name. SELinux is preventing ping from 'node_bind' accesses on the icmp_socket labeled node_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ping should be allowed node_bind access on icmp_socket labeled node_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ping' --raw | audit2allow -M my-ping # semodule -X 300 -i my-ping.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:node_t:s0 Target Objects Unknown [ icmp_socket ] Source ping Source Path ping Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-47.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.4.13-201.fc31.x86_64 #1 SMP Tue Jan 21 17:21:47 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-02-17 11:31:48 WET Last Seen 2020-02-17 11:31:55 WET Local ID 12416dcf-fed7-47f4-ad72-58d9123f680c Raw Audit Messages type=AVC msg=audit(1581939115.251:4935): avc: denied { node_bind } for pid=396414 comm="ping" saddr=192.168.0.140 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 Hash: ping,unconfined_t,node_t,icmp_socket,node_bind Version-Release number of selected component: selinux-policy-3.14.4-47.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.12.0 hashmarkername: setroubleshoot kernel: 5.4.13-201.fc31.x86_64 type: libreport
*** Bug 1826117 has been marked as a duplicate of this bug. ***
Carlos and Tim, Thank you for reporting the issue. There is an avc denial for the node_bind permission on icmp_socket. It seems to be triggered on these conditions: - non-root user - for ping, stating explicit address with the -I option - for traceroute, icmp protocol is used with the -I option It happens for ping and traceroute and their alternatives. It happens for IPv4 and Ipv6. Is it correct?
*** Bug 1810403 has been marked as a duplicate of this bug. ***
Switching the component to iputils. With the changes introduced in bz#1740809, non-root users are no longer able to use ping with stating source address explicitly. Is it correct and expected? Similarly, traceroute executed by non-root user and using icmp protocol is now not denied at the socket call, but later on bind because of selinux permission missing. Is it correct and expected?
@Zdenek, sorry for missing this bug ping fails for root as well as non-root users: [vagrant@test-mercury ~]$ sudo su [root@test-mercury vagrant]# ping -I fca0:bd73:a084:4c99:ca2b::1 ff02::1%ztr2qxgmuo ping: bind icmp socket: Permission denied bz#1740809 is ipv4 only, so it cannot be the source of the issue.
(In reply to Zdenek Pytela from comment #4) > Switching the component to iputils. > > With the changes introduced in bz#1740809, non-root users are no longer able > to use ping with stating source address explicitly. Is it correct and > expected? > > Similarly, traceroute executed by non-root user and using icmp protocol is > now not denied at the socket call, but later on bind because of selinux > permission missing. Is it correct and expected? Tested ping and traceroute on IPv4 and IPv6 and can confirm that's the case.
Ok, just to confirm, it's for root and non-root users
Tim, I cannot reproduce it directly this way. Do you happen to use confined users? Please send also audit logs, and increase the amount of audited information if possible: auditctl -d never,task auditctl -w /etc/shadow ping ... ausearch -i -m avc,user_avc -ts recent
Carlos, I cannot reproduce it either for a root user. Do you happen to use confined users? Please send audit logs withthe amount of audited information increased: auditctl -d never,task auditctl -w /etc/shadow ping/traceroute ... ausearch -i -m avc,user_avc -ts recent
This is a default install of F31, didn't change anything related to confinement. --- type=PROCTITLE msg=audit(22/04/20 11:35:57.557:350) : proctitle=ping -I 192.168.9.220 192.168.254.254 type=SOCKADDR msg=audit(22/04/20 11:35:57.557:350) : saddr={ saddr_fam=inet laddr=192.168.9.220 lport=0 } type=SYSCALL msg=audit(22/04/20 11:35:57.557:350) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55a9885b5020 a2=0x10 a3=0x7f140af9bac0 items=0 ppid=5782 pid=5865 auid=cesilva uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=2 comm=ping exe=/usr/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(22/04/20 11:35:57.557:350) : avc: denied { node_bind } for pid=5865 comm=ping saddr=192.168.9.220 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0
Zdenek I'm using a pretty vanilla vagrant box 'fedora/31-cloud-base' and the 'vagrant' user. I don't know what 'confined users' are, so I'm not using them on purpose. [vagrant@test-mercury ~]$ sudo auditctl -d never,task [vagrant@test-mercury ~]$ auditctl -w /etc/shadow You must be root to run this program. [vagrant@test-mercury ~]$ sudo auditctl -w /etc/shadow [vagrant@test-mercury ~]$ ping -I fca0:bd73:a084:4c99:ca2b::1 ff02::1%ztr2qxgmuo ping: bind icmp socket: Permission denied [vagrant@test-mercury ~]$ ausearch -i -m avc,user_avc -ts recent Error opening config file (Permission denied) NOTE - using built-in logs: /var/log/audit/audit.log Error opening /var/log/audit/audit.log (Permission denied) [vagrant@test-mercury ~]$ sudo ausearch -i -m avc,user_avc -ts recent ---- type=PROCTITLE msg=audit(22/04/20 10:34:07.983:2085) : proctitle=ping -I 10.0.89.155 8.8.8.8 type=SOCKADDR msg=audit(22/04/20 10:34:07.983:2085) : saddr={ saddr_fam=inet laddr=10.0.89.155 lport=0 } type=SYSCALL msg=audit(22/04/20 10:34:07.983:2085) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55fa3e501020 a2=0x10 a3=0x7f657db0eac0 items=0 ppid=7687 pid=7689 auid=vagrant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ping exe=/usr/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(22/04/20 10:34:07.983:2085) : avc: denied { node_bind } for pid=7689 comm=ping saddr=10.0.89.155 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 ---- type=PROCTITLE msg=audit(22/04/20 10:34:20.148:2088) : proctitle=ping -I fca0:bd73:a084:4c99:ca2b::1 ff02::1%ztr2qxgmuo type=SOCKADDR msg=audit(22/04/20 10:34:20.148:2088) : saddr={ saddr_fam=inet6 laddr=fca0:bd73:a084:4c99:ca2b::1 lport=0 } type=SYSCALL msg=audit(22/04/20 10:34:20.148:2088) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x4 a1=0x55653978a0e0 a2=0x1c a3=0x55653978a030 items=0 ppid=7450 pid=7690 auid=vagrant uid=vagrant gid=vagrant euid=vagrant suid=vagrant fsuid=vagrant egid=vagrant sgid=vagrant fsgid=vagrant tty=pts0 ses=3 comm=ping exe=/usr/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(22/04/20 10:34:20.148:2088) : avc: denied { node_bind } for pid=7690 comm=ping saddr=fca0:bd73:a084:4c99:ca2b::1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 ++++ and for root: [vagrant@test-mercury ~]$ ping -I fca0:bd73:a084:4c99:ca2b::1 ff02::1%ztr2qxgmuo ping: bind icmp socket: Permission denied [vagrant@test-mercury ~]$ ausearch -i -m avc,user_avc -ts recent Error opening config file (Permission denied) NOTE - using built-in logs: /var/log/audit/audit.log Error opening /var/log/audit/audit.log (Permission denied) [vagrant@test-mercury ~]$ sudo ausearch -i -m avc,user_avc -ts recent ---- type=PROCTITLE msg=audit(22/04/20 10:34:07.983:2085) : proctitle=ping -I 10.0.89.155 8.8.8.8 type=SOCKADDR msg=audit(22/04/20 10:34:07.983:2085) : saddr={ saddr_fam=inet laddr=10.0.89.155 lport=0 } type=SYSCALL msg=audit(22/04/20 10:34:07.983:2085) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55fa3e501020 a2=0x10 a3=0x7f657db0eac0 items=0 ppid=7687 pid=7689 auid=vagrant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ping exe=/usr/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(22/04/20 10:34:07.983:2085) : avc: denied { node_bind } for pid=7689 comm=ping saddr=10.0.89.155 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 ---- type=PROCTITLE msg=audit(22/04/20 10:34:20.148:2088) : proctitle=ping -I fca0:bd73:a084:4c99:ca2b::1 ff02::1%ztr2qxgmuo type=SOCKADDR msg=audit(22/04/20 10:34:20.148:2088) : saddr={ saddr_fam=inet6 laddr=fca0:bd73:a084:4c99:ca2b::1 lport=0 } type=SYSCALL msg=audit(22/04/20 10:34:20.148:2088) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x4 a1=0x55653978a0e0 a2=0x1c a3=0x55653978a030 items=0 ppid=7450 pid=7690 auid=vagrant uid=vagrant gid=vagrant euid=vagrant suid=vagrant fsuid=vagrant egid=vagrant sgid=vagrant fsgid=vagrant tty=pts0 ses=3 comm=ping exe=/usr/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(22/04/20 10:34:20.148:2088) : avc: denied { node_bind } for pid=7690 comm=ping saddr=fca0:bd73:a084:4c99:ca2b::1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 +++++ If it's of any use, I can strip down the Vagrant file, confirm the failure and post it. My platform is Mac tho' and it's got Mac specific network mapping.
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
This has already been fixed in selinux-policy. *** This bug has been marked as a duplicate of bug 1848929 ***