Bug 235182 - selinux denial messages when rmmoding network interface
selinux denial messages when rmmoding network interface
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-04 07:46 EDT by Roy-Magne Mo
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.5.12-3.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-04 12:28:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Roy-Magne Mo 2007-04-04 07:46:44 EDT
Description of problem:
selinux denial messages when running ifdown

Version-Release number of selected component (if applicable):
# rpm -qa \*policy\* initscripts selinux\*
policycoreutils-2.0.7-8.fc7
initscripts-8.51-1
selinux-policy-2.5.11-1.fc7
selinux-policy-targeted-2.5.11-1.fc7


How reproducible:
always

Steps to Reproduce:
1. rmmod iwlwifi
2.
3.
  
Actual results:
selinux denials

Expected results:


Additional info:
avc: denied { getattr } for comm="ifdown-eth" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.pid"
path="/var/run/dhclient-eth1.pid" pid=5158
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:dhcpc_var_run_t:s0 tty=(none) uid=0 


avc: denied { search } for comm="ifdown-ipv6" dev=proc egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=5207
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-04-10 14:15:45 EDT
This is very strange.  This looks like you have some program running as udev
that should not be?


Harald does this make sense to you?  Would udev ever run ifdown-eth?
Comment 2 Bill Nottingham 2007-04-10 16:00:00 EDT
Yes,it does on interface removal.
Comment 3 Daniel Walsh 2007-04-10 16:08:49 EDT
Roy-Magne could you run this in permissive mode and collect all of the avc messages?
Comment 4 Roy-Magne Mo 2007-04-13 11:55:42 EDT
# rpm -qa \*policy\* initscripts selinux\*
selinux-policy-targeted-2.5.12-2.fc7
policycoreutils-2.0.9-1.fc7
selinux-policy-2.5.12-2.fc7
initscripts-8.51-1


quite a lot, collected from audit.log:

type=AVC msg=audit(1176479586.254:127): avc:  denied  { search } for  pid=4713
comm="ifdown-ipv6" name="net" dev=proc ino=-268435430
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
type=AVC msg=audit(1176479586.254:127): avc:  denied  { getattr } for  pid=4713
comm="ifdown-ipv6" name="if_inet6" dev=proc ino=-268435115
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:127): arch=40000003 syscall=195
success=yes exit=0 a0=874b228 a1=bfe31738 a2=44b86ff4 a3=874b228 items=0
ppid=4660 pid=4713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ifdown-ipv6" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1176479586.254:127):  path="/proc/net/if_inet6"
type=AVC msg=audit(1176479586.254:128): avc:  denied  { search } for  pid=4713
comm="ifdown-ipv6" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1176479586.254:128): arch=40000003 syscall=195
success=yes exit=0 a0=872c7c8 a1=bfe31958 a2=44b86ff4 a3=872c7c8 items=0
ppid=4660 pid=4713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ifdown-ipv6" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1176479586.254:129): avc:  denied  { getattr } for  pid=4660
comm="ifdown-eth" name="dhclient-eth1.pid" dev=dm-0 ino=1177838
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=user_u:object_r:dhcpc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:129): arch=40000003 syscall=195
success=yes exit=0 a0=9d9b808 a1=bf9fdf38 a2=44b86ff4 a3=9d9b808 items=0
ppid=4659 pid=4660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ifdown-eth" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1176479586.254:129):  path="/var/run/dhclient-eth1.pid"
type=AVC msg=audit(1176479586.254:130): avc:  denied  { read } for  pid=4730
comm="cat" name="dhclient-eth1.pid" dev=dm-0 ino=1177838
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=user_u:object_r:dhcpc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:130): arch=40000003 syscall=5 success=yes
exit=3 a0=bfb70e74 a1=8000 a2=0 a3=8000 items=0 ppid=4660 pid=4730
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="cat" exe="/bin/cat"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1176479586.254:131): avc:  denied  { unlink } for  pid=4761
comm="rm" name="dhclient-eth1.pid" dev=dm-0 ino=1177838
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=user_u:object_r:dhcpc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:131): arch=40000003 syscall=301
success=yes exit=0 a0=ffffff9c a1=bf9efe76 a2=0 a3=bf9efe76 items=0 ppid=4660
pid=4761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="rm" exe="/bin/rm" subj=system_u:system_r:udev_t:s0-s0:c0.c1023
key=(null)
Comment 5 Daniel Walsh 2007-04-16 11:55:31 EDT
Fixed in selinux-policy-2.5.12-3.fc7

Note You need to log in before you can comment on or make changes to this bug.