2189184 – SELinux is preventing in.telnetd from 'search' accesses on the directory net.

Bug 2189184 - SELinux is preventing in.telnetd from 'search' accesses on the directory net.

Summary: SELinux is preventing in.telnetd from 'search' accesses on the directory net.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:db720b119f9cae5c327322d8f54...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-24 11:18 UTC by Thomas Köller
Modified:	2023-04-28 02:36 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-38.12-1.fc38
Clone Of:
Environment:
Last Closed:	2023-04-28 02:36:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.88 KB, text/plain) 2023-04-24 11:18 UTC, Thomas Köller	no flags	Details
File: os_info (667 bytes, text/plain) 2023-04-24 11:18 UTC, Thomas Köller	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1657	0	None	open	Allow telnetd read network sysctls	2023-04-25 09:31:09 UTC

Description Thomas Köller 2023-04-24 11:18:18 UTC

Description of problem:
Log in from remote via telent
SELinux is preventing in.telnetd from 'search' accesses on the directory net.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that in.telnetd should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'in.telnetd' --raw | audit2allow -M my-intelnetd
# semodule -X 300 -i my-intelnetd.pp

Additional Information:
Source Context                system_u:system_r:telnetd_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                net [ dir ]
Source                        in.telnetd
Source Path                   in.telnetd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.11-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.11-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.11-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 13 20:27:09 UTC 2023
                              x86_64
Alert Count                   6
First Seen                    2022-11-23 18:44:16 CET
Last Seen                     2023-04-24 13:07:39 CEST
Local ID                      4982f56b-a9fc-4d70-a500-bfb4cb40c77e

Raw Audit Messages
type=AVC msg=audit(1682334459.949:7376): avc:  denied  { search } for  pid=29294 comm="in.telnetd" name="net" dev="proc" ino=22653 scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0


Hash: in.telnetd,telnetd_t,sysctl_net_t,dir,search

Version-Release number of selected component:
selinux-policy-targeted-38.11-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.9
reason:         SELinux is preventing in.telnetd from 'search' accesses on the directory net.
package:        selinux-policy-targeted-38.11-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.2.11-300.fc38.x86_64
comment:        Log in from remote via telent
component:      selinux-policy

Comment 1 Thomas Köller 2023-04-24 11:18:20 UTC

Created attachment 1959511 [details]
File: description

Comment 2 Thomas Köller 2023-04-24 11:18:22 UTC

Created attachment 1959512 [details]
File: os_info

Comment 3 Milos Malik 2023-04-24 13:30:31 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(04/24/2023 09:28:33.785:919) : proctitle=/usr/sbin/in.telnetd 
type=PATH msg=audit(04/24/2023 09:28:33.785:919) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/24/2023 09:28:33.785:919) : cwd=/ 
type=SYSCALL msg=audit(04/24/2023 09:28:33.785:919) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc65020440 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=7334 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=in.telnetd exe=/usr/sbin/in.telnetd subj=system_u:system_r:telnetd_t:s0 key=(null) 
type=AVC msg=audit(04/24/2023 09:28:33.785:919) : avc:  denied  { search } for  pid=7334 comm=in.telnetd name=net dev="proc" ino=14581 scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 
----

# rpm -qa selinux\* telnet\* | sort
selinux-policy-38.11-1.fc39.noarch
selinux-policy-devel-38.11-1.fc39.noarch
selinux-policy-targeted-38.11-1.fc39.noarch
telnet-0.17-88.fc38.x86_64
telnet-server-0.17-88.fc38.x86_64
#

Comment 4 Milos Malik 2023-04-24 13:34:05 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(04/24/2023 09:32:14.977:1277) : proctitle=/usr/sbin/in.telnetd 
type=PATH msg=audit(04/24/2023 09:32:14.977:1277) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=47317 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/24/2023 09:32:14.977:1277) : cwd=/ 
type=SYSCALL msg=audit(04/24/2023 09:32:14.977:1277) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7ffe9fac35e0 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=12628 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=in.telnetd exe=/usr/sbin/in.telnetd subj=system_u:system_r:telnetd_t:s0 key=(null) 
type=AVC msg=audit(04/24/2023 09:32:14.977:1277) : avc:  denied  { open } for  pid=12628 comm=in.telnetd path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=47317 scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/24/2023 09:32:14.977:1277) : avc:  denied  { read } for  pid=12628 comm=in.telnetd name=disable_ipv6 dev="proc" ino=47317 scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/24/2023 09:32:14.977:1277) : avc:  denied  { search } for  pid=12628 comm=in.telnetd name=net dev="proc" ino=14581 scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(04/24/2023 09:32:14.977:1278) : proctitle=/usr/sbin/in.telnetd 
type=PATH msg=audit(04/24/2023 09:32:14.977:1278) : item=0 name= inode=47317 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/24/2023 09:32:14.977:1278) : cwd=/ 
type=SYSCALL msg=audit(04/24/2023 09:32:14.977:1278) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x5 a1=0x7f726139eb8e a2=0x7ffe9fac3640 a3=0x1000 items=1 ppid=1 pid=12628 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=in.telnetd exe=/usr/sbin/in.telnetd subj=system_u:system_r:telnetd_t:s0 key=(null) 
type=AVC msg=audit(04/24/2023 09:32:14.977:1278) : avc:  denied  { getattr } for  pid=12628 comm=in.telnetd path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=47317 scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
----

Tested on 1MT-Fedora-Rawhide.

Comment 5 Fedora Update System 2023-04-26 12:57:33 UTC

FEDORA-2023-21649bd3fe has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-21649bd3fe

Comment 6 Fedora Update System 2023-04-27 02:29:49 UTC

FEDORA-2023-21649bd3fe has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-21649bd3fe`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-21649bd3fe

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2023-04-28 02:36:42 UTC

FEDORA-2023-21649bd3fe has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.