This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 219739 - SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) access to net (proc_net_t)
SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) access to net (proc...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-14 21:43 EST by Gerry Reno
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:12:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Gerry Reno 2006-12-14 21:43:07 EST
Description of problem:
setroubleshoot alerts:
SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) access to net (proc_net_t)

This just started happening.  I have no clue what caused it to start.  The only
thing I did today was install about 24 packages that it was requesting me to
install.


Version-Release number of selected component (if applicable):
I'm not even sure what component is the problem, selinux or irqbalance:
selinux-policy-2.4.6-7.fc6
irqbalance-0.55-2.fc6

How reproducible:
every login every user


Steps to Reproduce:
1. login
2.
3.
  
Actual results:


Expected results:
no avc violation

Additional info:
Comment 1 Piergiorgio Sartor 2006-12-15 14:23:34 EST
I can confirm this one, it happens also to me, since last selinux update.
This an extract from /var/log/message, with grep irqbalance and audit.
Please note the embedded comments below.

Start of the PC after upgrading selinux stuff:

Dec 15 09:29:33 rain2 kernel: audit(1166171360.001:4): avc:  denied  { search }
for  pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:29:34 rain2 kernel: audit(1166171369.555:5): avc:  denied  { search }
for  pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:29:39 rain2 kernel: audit(1166171379.001:6): avc:  denied  { search }
for  pid=2003 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
...

and so on, I have more, but I think this is enough.

Try to set /usr/sbin/irqbalance context to unconfined_t, as result of some research.
Stopped irqbalance and then chcon -t ...

Dec 15 09:43:21 rain2 kernel: audit(1166172201.454:19): avc:  denied  {
relabelto } for  pid=3128 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unconfined_t:s0 tclass=file
Dec 15 09:43:37 rain2 kernel: audit(1166172217.876:20): avc:  denied  {
relabelto } for  pid=3130 comm="chcon" name="irqbalance" dev=dm-0 ino=3746247
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unconfined_t:s0 tclass=file

Reboot, just to be sure...

Dec 15 09:53:06 rain2 kernel: audit(1166172775.532:3): avc:  denied  { search }
for  pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:4): avc:  denied  { read }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:07 rain2 kernel: audit(1166172775.532:5): avc:  denied  { getattr }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:6): avc:  denied  { create }
for  pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:7): avc:  denied  { ioctl }
for  pid=2001 comm="irqbalance" name="[8830]" dev=sockfs ino=8830
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:53:07 rain2 kernel: audit(1166172775.533:8): avc:  denied  { net_admin
} for  pid=2001 comm="irqbalance" capability=12
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability
Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:9): avc:  denied  { search }
for  pid=2001 comm="irqbalance" name="net" dev=proc ino=-268435432
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:10): avc:  denied  { read }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:07 rain2 kernel: audit(1166172785.001:11): avc:  denied  { getattr
} for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:35 rain2 kernel: audit(1166172815.001:12): avc:  denied  { read }
for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 15 09:53:35 rain2 kernel: audit(1166172815.002:13): avc:  denied  { getattr
} for  pid=2001 comm="irqbalance" name="dev" dev=proc ino=-268435159
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Setting selinux to permissive mode and reboot.

Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:14): avc:  denied  { create }
for  pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:15): avc:  denied  { ioctl }
for  pid=2001 comm="irqbalance" name="[12025]" dev=sockfs ino=12025
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 09:58:15 rain2 kernel: audit(1166173095.001:16): avc:  denied  {
net_admin } for  pid=2001 comm="irqbalance" capability=12
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability
Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:17): avc:  denied  { create }
for  pid=2001 comm="irqbalance" scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket
Dec 15 10:03:35 rain2 kernel: audit(1166173415.001:18): avc:  denied  { ioctl }
for  pid=2001 comm="irqbalance" name="[12460]" dev=sockfs ino=12460
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=udp_socket

As you can see, after trying the chcon the denial is not anymore only { search
}, but also something more.
So, apart from the original denial problem, do the denials after chcon (which
seems to have failed) show something is broken?

Thanks.
Comment 2 Daniel Walsh 2006-12-18 16:07:58 EST
Fixed in selinux-policy-2.4.6-13
Comment 3 Daniel Walsh 2007-08-22 10:12:09 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.