Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1834773

Summary:

SELinux prevents tcpdump from creating a RDMA socket (test failing with new tcpdump and libpcap)

Product:

Red Hat Enterprise Linux 8

Reporter:

Michal Ruprich <mruprich>

Component:

selinux-policy

Assignee:

Zdenek Pytela <zpytela>

Status:

CLOSED ERRATA

QA Contact:

Milos Malik <mmalik>

Severity:

medium

Docs Contact:

Priority:

medium

Version:

8.3

CC:

lvrabec, mmalik, plautrba, ssekidde

Target Milestone:

Keywords:

AutoVerified, Triaged

Target Release:

8.3

Flags:

pm-rhel: mirror+

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

No Doc Update

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2020-11-04 01:56:37 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1743650

Attachments:

Description	Flags
Full test log	none

Description Michal Ruprich 2020-05-12 11:50:45 UTC

Created attachment 1687661 [details]
Full test log

Description of problem:
Test CoreOS/selinux-policy/Regression/bz593159-tcpdump-and-USB is failing with AVC checks. This is expected and it is caused by enabling RDMA in libpcap(rhbz #1743650). We discussed this with lvabec, this needs to be fixed asap in order to get new tcpdump through gating in RHEL-8.3.0. For the full log, see the attachement. This is the AVC check part:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:18:31 ] :: [   LOG    ] :: rlSEAVCCheck: Search for AVCs, USER_AVCs, SELINUX_ERRs, and USER_SELINUX_ERRs since timestamp 'TIMESTAMP' [05/07/2020 15:16:01]
----
type=PROCTITLE msg=audit(05/07/2020 15:17:17.546:944) : proctitle=/usr/sbin/tcpdump -i lo -Z tcpdump -w ./capturefile 
type=SYSCALL msg=audit(05/07/2020 15:17:17.546:944) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=hmp a3=0x0 items=0 ppid=24380 pid=24383 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=15 comm=tcpdump exe=/usr/sbin/tcpdump subj=system_u:system_r:netutils_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 15:17:17.546:944) : avc:  denied  { create } for  pid=24383 comm=tcpdump scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=netlink_rdma_socket permissive=0 
----
type=USER_AVC msg=audit(05/07/2020 15:17:28.908:948) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=3)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:17:32.915:954) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=4)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(05/07/2020 15:17:33.614:986) : proctitle=/sbin/tcpdump -c 1 
type=SYSCALL msg=audit(05/07/2020 15:17:33.614:986) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7fb3fd8bdba0 items=0 ppid=24675 pid=24676 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=16 comm=tcpdump exe=/usr/sbin/tcpdump subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:17:33.614:986) : avc:  denied  { create } for  pid=24676 comm=tcpdump scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:17:34.184:1024) : proctitle=/sbin/tcpdump -D 
type=SYSCALL msg=audit(05/07/2020 15:17:34.184:1024) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7fc2a8bc3ba0 items=0 ppid=24742 pid=24743 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=18 comm=tcpdump exe=/usr/sbin/tcpdump subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:17:34.184:1024) : avc:  denied  { create } for  pid=24743 comm=tcpdump scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:17:34.729:1062) : proctitle=/sbin/tcpdump -L 
type=SYSCALL msg=audit(05/07/2020 15:17:34.729:1062) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7fc94a8a7ba0 items=0 ppid=24809 pid=24810 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=20 comm=tcpdump exe=/usr/sbin/tcpdump subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:17:34.729:1062) : avc:  denied  { create } for  pid=24810 comm=tcpdump scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=0 
----
type=USER_AVC msg=audit(05/07/2020 15:17:38.510:1084) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=5)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:17:43.309:1091) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=6)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(05/07/2020 15:17:43.887:1122) : proctitle=/sbin/tcpdump -c 1 
type=SYSCALL msg=audit(05/07/2020 15:17:43.887:1122) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7f5223be2ba0 items=0 ppid=24976 pid=24977 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=22 comm=tcpdump exe=/usr/sbin/tcpdump subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 15:17:43.887:1122) : avc:  denied  { create } for  pid=24977 comm=tcpdump scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=netlink_netfilter_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:17:44.343:1160) : proctitle=/sbin/tcpdump -D 
type=SYSCALL msg=audit(05/07/2020 15:17:44.343:1160) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7fae29f20ba0 items=0 ppid=25043 pid=25044 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=24 comm=tcpdump exe=/usr/sbin/tcpdump subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 15:17:44.343:1160) : avc:  denied  { create } for  pid=25044 comm=tcpdump scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=netlink_netfilter_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:17:44.814:1198) : proctitle=/sbin/tcpdump -L 
type=SYSCALL msg=audit(05/07/2020 15:17:44.814:1198) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7efec87d6ba0 items=0 ppid=25110 pid=25111 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=26 comm=tcpdump exe=/usr/sbin/tcpdump subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 15:17:44.814:1198) : avc:  denied  { create } for  pid=25111 comm=tcpdump scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=netlink_netfilter_socket permissive=0 
----
type=USER_AVC msg=audit(05/07/2020 15:17:48.601:1218) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=7)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:17:53.222:1226) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=8)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:17:57.991:1349) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=9)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:18:02.646:1356) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=10)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:03.241:1389) : proctitle=/sbin/tcpdump -c 1 
type=SYSCALL msg=audit(05/07/2020 15:18:03.241:1389) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7f7d71f58ba0 items=0 ppid=25551 pid=25553 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=34 comm=tcpdump exe=/usr/sbin/tcpdump subj=xguest_u:xguest_r:xguest_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:03.241:1389) : avc:  denied  { create } for  pid=25553 comm=tcpdump scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=netlink_netfilter_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:03.620:1427) : proctitle=/sbin/tcpdump -D 
type=SYSCALL msg=audit(05/07/2020 15:18:03.620:1427) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7fb2b8fe8ba0 items=0 ppid=25610 pid=25612 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=36 comm=tcpdump exe=/usr/sbin/tcpdump subj=xguest_u:xguest_r:xguest_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:03.620:1427) : avc:  denied  { create } for  pid=25612 comm=tcpdump scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=netlink_netfilter_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:04.012:1465) : proctitle=/sbin/tcpdump -L 
type=SYSCALL msg=audit(05/07/2020 15:18:04.012:1465) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=pup a3=0x7f9619399ba0 items=0 ppid=25669 pid=25671 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=38 comm=tcpdump exe=/usr/sbin/tcpdump subj=xguest_u:xguest_r:xguest_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:04.012:1465) : avc:  denied  { create } for  pid=25671 comm=tcpdump scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=netlink_netfilter_socket permissive=0 
----
type=USER_AVC msg=audit(05/07/2020 15:18:07.621:1482) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=11)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:18:12.429:1491) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=12)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:12.995:1521) : proctitle=/sbin/tcpdump -c 1 
type=SYSCALL msg=audit(05/07/2020 15:18:12.995:1521) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=hmp a3=0x0 items=0 ppid=25831 pid=25832 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=40 comm=tcpdump exe=/usr/sbin/tcpdump subj=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:12.995:1521) : avc:  denied  { create } for  pid=25832 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:12.995:1522) : proctitle=/sbin/tcpdump -c 1 
type=SYSCALL msg=audit(05/07/2020 15:18:12.995:1522) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=hmp a3=0x0 items=0 ppid=25831 pid=25832 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=40 comm=tcpdump exe=/usr/sbin/tcpdump subj=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:12.995:1522) : avc:  denied  { create } for  pid=25832 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:13.503:1560) : proctitle=/sbin/tcpdump -D 
type=SYSCALL msg=audit(05/07/2020 15:18:13.503:1560) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=hmp a3=0x0 items=0 ppid=25899 pid=25900 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=42 comm=tcpdump exe=/usr/sbin/tcpdump subj=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:13.503:1560) : avc:  denied  { create } for  pid=25900 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:14.006:1598) : proctitle=/sbin/tcpdump -L 
type=SYSCALL msg=audit(05/07/2020 15:18:14.006:1598) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=hmp a3=0x0 items=0 ppid=25966 pid=25967 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=44 comm=tcpdump exe=/usr/sbin/tcpdump subj=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:14.006:1598) : avc:  denied  { create } for  pid=25967 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
----
type=PROCTITLE msg=audit(05/07/2020 15:18:14.006:1599) : proctitle=/sbin/tcpdump -L 
type=SYSCALL msg=audit(05/07/2020 15:18:14.006:1599) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=hmp a3=0x0 items=0 ppid=25966 pid=25967 auid=user2167 uid=user2167 gid=user2167 euid=user2167 suid=user2167 fsuid=user2167 egid=user2167 sgid=user2167 fsgid=user2167 tty=pts1 ses=44 comm=tcpdump exe=/usr/sbin/tcpdump subj=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/07/2020 15:18:14.006:1599) : avc:  denied  { create } for  pid=25967 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
----
type=USER_AVC msg=audit(05/07/2020 15:18:18.025:1619) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=13)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:18:22.767:1627) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=14)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:18:28.540:1749) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=15)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/07/2020 15:18:29.069:1753) : pid=669 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=16)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
:: [ 15:18:31 ] :: [   INFO   ] :: rlSEAVCCheck: ignoring patterns:
:: [ 15:18:31 ] :: [   INFO   ] :: rlSEAVCCheck:     type=USER_AVC.*received (policyload|setenforce) notice
:: [ 15:18:31 ] :: [   INFO   ] :: rlSEAVCCheck:     type=AVC.*create.*xguest_t.*xguest_t.*tclass=.*_socket
:: [ 15:18:31 ] :: [   INFO   ] :: rlSEAVCCheck:     type=AVC.*create.*guest_t.*guest_t.*tclass=.*_socket
:: [ 15:18:31 ] :: [   INFO   ] :: rlSEAVCCheck:     type=AVC.*create.*user_t.*user_t.*tclass=.*_socket
:: [ 15:18:31 ] :: [   INFO   ] :: rlSEAVCCheck:     type=AVC.*create.*staff_t.*staff_t.*tclass=.*_socket
:: [ 15:18:31 ] :: [   INFO   ] :: rlSEAVCCheck:     type=AVC.*signal.*guest_t.*init_t.*tclass=process
---==============---
UNEXPECTED MESSAGES:
type=AVC msg=audit(05/07/2020 15:17:17.546:944) : avc:  denied  { create } for  pid=24383 comm=tcpdump scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:system_r:netutils_t:s0 tclass=netlink_rdma_socket permissive=0 
type=AVC msg=audit(05/07/2020 15:18:12.995:1521) : avc:  denied  { create } for  pid=25832 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
type=AVC msg=audit(05/07/2020 15:18:12.995:1522) : avc:  denied  { create } for  pid=25832 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
type=AVC msg=audit(05/07/2020 15:18:13.503:1560) : avc:  denied  { create } for  pid=25900 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
type=AVC msg=audit(05/07/2020 15:18:14.006:1598) : avc:  denied  { create } for  pid=25967 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
type=AVC msg=audit(05/07/2020 15:18:14.006:1599) : avc:  denied  { create } for  pid=25967 comm=tcpdump scontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:netutils_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=0 
---==============---
:: [ 15:18:31 ] :: [   FAIL   ] :: Check there are no unexpected AVCs/ERRORs (Assert: expected 0, got 1)
:: [ 15:18:31 ] :: [  BEGIN   ] :: Running 'umount /sys/kernel/debug/'
:: [ 15:18:31 ] :: [   PASS   ] :: Command 'umount /sys/kernel/debug/' (Expected 0,32, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 2s
::   Assertions: 1 good, 1 bad
::   RESULT: WARN (Cleanup)

** Cleanup WARN Score:1
Uploading resultoutputfile.log .done


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-43.el8.noarch
tcpdump-4.9.3-1.el8

How reproducible:
always

Steps to Reproduce:
1. Re-run the aforementioned test

Actual results:
AVC check fails

Expected results:
AVC check passes

Comment 3 Zdenek Pytela 2020-05-12 14:27:01 UTC

Michale,

These are the allow rules required to be present in the policy:

allow netutils_t self:netlink_rdma_socket create;

allow staff_t self:netlink_netfilter_socket create;
allow user_t self:netlink_netfilter_socket create;
allow xguest_t self:netlink_netfilter_socket create;

Note different SELinux users requested different socket types: For the netutils_t domain (unconfined_u and sysadm_u) it is netlink_rdma_socket, while for 3 other confined users it is netlink_netfilter_socket. Is it correct and expected as is or both of the socket types can be used?

Comment 4 Zdenek Pytela 2020-05-12 14:28:34 UTC

Milosi,

Is it reasonable to test tcpdump in the dump mode for other users than unconfined_u and sysadm_u? Even staff_u seems to me to be questionable.

Comment 5 Milos Malik 2020-05-12 15:26:04 UTC

I believe that the following rule should be part of SELinux policy:

allow netutils_t self:netlink_rdma_socket create;

I agree that following rules are questionable:

allow staff_t self:netlink_netfilter_socket create;
allow user_t self:netlink_netfilter_socket create;
allow xguest_t self:netlink_netfilter_socket create;

Comment 6 Zdenek Pytela 2020-05-13 09:51:34 UTC

Clarified with Michal in the background, removing needinfo.

This is the current status in the policy:

# sesearch -A -s netutils_t -t netutils_t -c netlink_rdma_socket -p create
# sesearch -A -s netutils_t -t netutils_t -c netlink_netfilter_socket -p create
allow netutils_t netutils_t:netlink_netfilter_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };

There is a transition to netutils_t for unconfined_t and sysadm_t on netutils_exec_t. Given the comment in the test:

  # based on agreement with developers, only unconfined_u and sysadm_u users can run tcpdump without limitations

we indeed need to add just this single rule.

Comment 7 Zdenek Pytela 2020-05-13 10:13:30 UTC

I've submitted a Fedora PR to address the issue:

https://github.com/fedora-selinux/selinux-policy/pull/354

Comment 20 errata-xmlrpc 2020-11-04 01:56:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528

Comment 21 Zdenek Pytela 2021-01-07 19:45:04 UTC

*** Bug 1844530 has been marked as a duplicate of this bug. ***