Bug 188104 - netdump traceroute is denied by selinux
Summary: netdump traceroute is denied by selinux
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 5
Hardware: i386 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-04-06 01:52 UTC by Chaskiel Grundman
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-28 20:05:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Chaskiel Grundman 2006-04-06 01:52:21 UTC
Description of problem:
the netdump script's attempt to traceroute to the netdump server fails when
selinux enforcing mode is enabled.

Version-Release number of selected component (if applicable):

How reproducible:
always. This only causes netdump to fail if netdump server is not on the same
subnet as client (since the netdump script falls back to the assumption that
they are on the same subnet)

Steps to Reproduce:
1. enable netdump
2. netdump configuration is:
Actual results:
netdump script displays

cannot traceroute to XXX.XXX.XXX.XXX on interface eth0

and selinux logs:

audit(1144286449.407:2): avc:  denied  { use } for  pid=1582 comm="traceroute"
name="console" dev=tmpfs ino=649 scontext=system_u:system_r:traceroute_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fd
audit(1144286449.411:3): avc:  denied  { name_bind } for  pid=1582
comm="traceroute" src=64000 scontext=system_u:system_r:traceroute_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

Expected results:

Additional info:
Other relevant packages:


Comment 2 Daniel Walsh 2006-05-09 17:26:52 UTC
Why is traceroute trying to name_bind on port 64000?

Comment 3 Chaskiel Grundman 2006-05-09 18:03:08 UTC
(In reply to comment #2)
> Why is traceroute trying to name_bind on port 64000?

How am I supposed to answer this? traceroute-1.0.4 does use a non-anonymous bind
on it's main udp socket. I don't know what purpose it serves.

Comment 4 Daniel Walsh 2006-05-09 21:30:31 UTC
Now you know my pain.   :^)

Ok, I looked at the code and it wants to bind to ports starting at 64000.  So I
am updating rawhide with this fix and it will be in FC5 next week.

fixed in selinux-policy-2.2.38-2

Comment 5 Daniel Walsh 2007-03-28 20:05:34 UTC
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.