Description of problem: SELinux is preventing traceroute from 'node_bind' accesses on the icmp_socket labeled node_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that traceroute should be allowed node_bind access on icmp_socket labeled node_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute # semodule -X 300 -i my-traceroute.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:node_t:s0 Target Objects Unknown [ icmp_socket ] Source traceroute Source Path traceroute Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-47.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.4.17-200.fc31.x86_64 #1 SMP Sat Feb 1 19:00:13 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-02-13 10:50:41 CET Last Seen 2020-02-13 10:50:41 CET Local ID 728a70c4-8b82-4ee1-8738-206f6f36a74e Raw Audit Messages type=AVC msg=audit(1581587441.43:856): avc: denied { node_bind } for pid=95147 comm="traceroute" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 Hash: traceroute,unconfined_t,node_t,icmp_socket,node_bind Version-Release number of selected component: selinux-policy-3.14.4-47.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.12.0 hashmarkername: setroubleshoot kernel: 5.5.7-200.fc31.x86_64 type: libreport
Hi, Could you please share the reproducing steps or a use case to trigger an AVC like this? Which switches are used? Besides, what is the path to the traceroute binary? Please list: $ ls -lZ /usr/bin/traceroute
Steps to repro: $ traceroute -I <any ip> bind: Permission denied $ ls -lZ $(which traceroute) -rwxr-xr-x. 1 root root system_u:object_r:traceroute_exec_t:s0 86984 2019-07-27 14:43 /usr/bin/traceroute*
Are all policy modules enabled on your machine? # semodule -lfull | grep -i disa
(In reply to Milos Malik from comment #3) > Are all policy modules enabled on your machine? > > # semodule -lfull | grep -i disa The output of `sudo semodule -lfull | grep -i disa` is empty on my machine. I'm not aware having modified anything there, though. Would the full output (without grep) help you?
Checking with traceroute maintainer: Jan, is traceroute expected to work for a user with icmp datagrams? Unlike ping which is shipped with cap_net_admin,cap_net_raw+p, traceroute does not have the file capabilities. Traceroute works for a user with the default udp, as well as it works for root with any protocol.
Similar problem has been detected: Using (as a non-root user): # traceroute -I <host> hashmarkername: setroubleshoot kernel: 5.5.8-200.fc31.x86_64 package: selinux-policy-3.14.4-49.fc31.noarch reason: SELinux is preventing traceroute from 'node_bind' accesses on the icmp_socket labeled node_t. type: libreport
I manage to find the answer: The file capabilities will not be used for ping/traceroute as a result of changes in sysctl: https://bugzilla.redhat.com/show_bug.cgi?id=1740809 https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange and subsequently applied to ping, Rawhide/F33 only: https://bugzilla.redhat.com/show_bug.cgi?id=1699497 Closing as a duplicate of 1803759 to continue the discussion there. *** This bug has been marked as a duplicate of bug 1803759 ***