1942872 – SELinux prevents arpwatch from creating netlink generic sockets

Bug 1942872 - SELinux prevents arpwatch from creating netlink generic sockets

Summary: SELinux prevents arpwatch from creating netlink generic sockets

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-25 09:04 UTC by Milos Malik
Modified:	2021-03-29 00:17 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.7-28.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-29 00:17:11 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2021-03-25 09:04:18 UTC

Description of problem:

Version-Release number of selected component (if applicable):
arpwatch-3.1-9.fc34.x86_64
selinux-policy-3.14.7-24.fc34.noarch
selinux-policy-targeted-3.14.7-24.fc34.noarch

How reproducible:
 *always

Steps to Reproduce:
1. get a Fedora 34 machine (targeted policy is active)
2. start the arpwatch service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(03/25/2021 04:58:37.585:468) : proctitle=/usr/sbin/arpwatch -u arpwatch -F -C 
type=SYSCALL msg=audit(03/25/2021 04:58:37.585:468) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x20 items=0 ppid=1 pid=8387 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=arpwatch exe=/usr/sbin/arpwatch subj=system_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(03/25/2021 04:58:37.585:468) : avc:  denied  { create } for  pid=8387 comm=arpwatch scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=netlink_generic_socket permissive=0 
----
type=PROCTITLE msg=audit(03/25/2021 04:58:38.626:470) : proctitle=/usr/sbin/arpwatch -u arpwatch -F -C 
type=PATH msg=audit(03/25/2021 04:58:38.626:470) : item=0 name=/sys/fs/cgroup/cgroup.events nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/25/2021 04:58:38.626:470) : cwd=/var/lib/arpwatch 
type=SYSCALL msg=audit(03/25/2021 04:58:38.626:470) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f0fbac353d6 a1=F_OK a2=0x7f0fbb736160 a3=0xffffffff items=1 ppid=1 pid=8387 auid=unset uid=arpwatch gid=arpwatch euid=arpwatch suid=arpwatch fsuid=arpwatch egid=arpwatch sgid=arpwatch fsgid=arpwatch tty=(none) ses=unset comm=arpwatch exe=/usr/sbin/arpwatch subj=system_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(03/25/2021 04:58:38.626:470) : avc:  denied  { search } for  pid=8387 comm=arpwatch name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2021-03-25 09:06:29 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(03/25/2021 05:05:33.539:477) : proctitle=/usr/sbin/arpwatch -u arpwatch -F -C 
type=SYSCALL msg=audit(03/25/2021 05:05:33.539:477) : arch=x86_64 syscall=socket success=yes exit=3 a0=netlink a1=SOCK_RAW a2=chaos a3=0x561ec5888830 items=0 ppid=1 pid=61027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=arpwatch exe=/usr/sbin/arpwatch subj=system_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(03/25/2021 05:05:33.539:477) : avc:  denied  { create } for  pid=61027 comm=arpwatch scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(03/25/2021 05:05:33.540:478) : proctitle=/usr/sbin/arpwatch -u arpwatch -F -C 
type=SYSCALL msg=audit(03/25/2021 05:05:33.540:478) : arch=x86_64 syscall=ioctl success=no exit=ENODEV(No such device) a0=0x3 a1=SIOCGIFNAME a2=0x7fff0226dfc0 a3=0x561ec5888830 items=0 ppid=1 pid=61027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=arpwatch exe=/usr/sbin/arpwatch subj=system_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(03/25/2021 05:05:33.540:478) : avc:  denied  { ioctl } for  pid=61027 comm=arpwatch path=socket:[68487] dev="sockfs" ino=68487 ioctlcmd=SIOCGIFNAME scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:system_r:arpwatch_t:s0 tclass=netlink_generic_socket permissive=1 
----

Comment 3 Zdenek Pytela 2021-03-25 10:53:23 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/661

I was unable to reproduce the cgroup search though, neither in permissive nor enforcing modes.

Comment 4 Zdenek Pytela 2021-03-25 21:34:02 UTC

Merged in rawhide.

Comment 6 Fedora Update System 2021-03-26 14:55:25 UTC

FEDORA-2021-15b81d905c has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-15b81d905c

Comment 7 Fedora Update System 2021-03-27 02:01:18 UTC

FEDORA-2021-15b81d905c has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-15b81d905c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-15b81d905c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2021-03-29 00:17:11 UTC

FEDORA-2021-15b81d905c has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.