Description of problem: The ping command causes AVC on f33 when running smoke test for ppp in beaker. Version-Release number of selected component (if applicable): selinux-policy-3.14.6-14.fc33.noarch How reproducible: Always Steps to Reproduce: 1. Schedule CoreOS/ppp/Sanity/smoke-test test for f33 2. 3. Actual results: type=AVC msg=audit(1592310900.382:162): avc: denied { node_bind } for pid=2726 comm="ping" saddr=192.168.10.1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=1 Expected results: No AVC Additional info: The command triggering it: ping -c1 -W5 "192.168.10.2"
Following SELinux denial appeared in enforcing mode: ---- type=PROCTITLE msg=audit(06/22/2020 03:06:19.936:333) : proctitle=ping -c1 -W5 -I 192.168.10.1 192.168.10.2 type=SOCKADDR msg=audit(06/22/2020 03:06:19.936:333) : saddr={ saddr_fam=inet laddr=192.168.10.1 lport=0 } type=SYSCALL msg=audit(06/22/2020 03:06:19.936:333) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x557e6b682020 a2=0x10 a3=0x7f7b9ad74ac0 items=0 ppid=1848 pid=2317 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ping exe=/usr/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/22/2020 03:06:19.936:333) : avc: denied { node_bind } for pid=2317 comm=ping saddr=192.168.10.1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=0 ---- But the SELinux denial appears after adding a network namespace via 'ip netns add net0' in automated TC. The SELinux denial does not appear after removing the network namespace via 'ip netns del net0'.
Following SELinux denial appeared in permissive mode: ---- type=PROCTITLE msg=audit(06/22/2020 03:11:14.364:350) : proctitle=ping -c1 -W5 -I 192.168.10.1 192.168.10.2 type=SOCKADDR msg=audit(06/22/2020 03:11:14.364:350) : saddr={ saddr_fam=inet laddr=192.168.10.1 lport=0 } type=SYSCALL msg=audit(06/22/2020 03:11:14.364:350) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x5599f5321020 a2=0x10 a3=0x7f437ccecac0 items=0 ppid=2637 pid=3107 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ping exe=/usr/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/22/2020 03:11:14.364:350) : avc: denied { node_bind } for pid=3107 comm=ping saddr=192.168.10.1 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=icmp_socket permissive=1 ----
*** Bug 1852444 has been marked as a duplicate of this bug. ***
PR: https://github.com/fedora-selinux/selinux-policy/pull/403
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33.
Merged. Backporting also to F31 and F32.
FEDORA-2020-8f3381648b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f3381648b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f3381648b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-8f3381648b has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 1803759 has been marked as a duplicate of this bug. ***