Bug 249499 - selinux breaks bridge functionality
selinux breaks bridge functionality
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-25 03:50 EDT by Rolf Fokkens
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rolf Fokkens 2007-07-25 03:50:53 EDT
Description of problem:
After having upgraded selinux to the latest release bridge interfaces no longer
start during boot. Workaround was to change SELINUX=enforce to
SELINUX=permissive in /etc/selinux/config

Version-Release number of selected component (if applicable):
kernel-2.6.22.1-27.fc7
selinux-policy-2.6.4-28.fc7

How reproducible:
100%

Steps to Reproduce:
1. Upgrade to selinux-policy-2.6.4-28.fc7, kernel-2.6.22.1-27.fc7
2. Reboot
3. Enjoy the fact that your bridge interfaces no longer start
  
Actual results:
During boot (/etc/rc.d/init.d/network) a message "Bridge support not available
in this kernel" show up. 

Expected results:
Flawless operation

Additional info:
In syslog:
Jul 25 08:20:11 home07 kernel: audit(1185344374.139:4): avc:  denied  { search }
for  pid=2222 comm="brctl" name="/" dev=sysfs ino=1
scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:sysfs_t:s0
tclass=dir
Jul 25 08:20:11 home07 kernel: audit(1185344374.139:5): avc:  denied  { getattr}
for  pid=2222 comm="brctl" name="net" dev=sysfs ino=1980
scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:sysfs_t:s0
tclass=dir
Jul 25 08:20:11 home07 kernel: audit(1185344374.139:6): avc:  denied  { read }
for  pid=2222 comm="brctl" name="net" dev=sysfs ino=1980
scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:sysfs_t:s0
tclass=dir
Comment 1 Daniel Walsh 2007-07-25 16:15:33 EDT
If you add that rule using audit2allow does it work properly?>

grep brctl /var/log/audit/audit.log | audit2allow -M mybrctl
semodule -i mybrctl.pp
Comment 2 Rolf Fokkens 2007-07-26 13:30:12 EDT
This seems to solve the problem. I added the rule as requested, and I rebooted.
Everything worked fine. 
Comment 3 Daniel Walsh 2007-07-26 13:42:12 EDT
Fixed in selinux-policy-2.6.4-30.fc7
Comment 4 Daniel Walsh 2007-08-22 10:09:30 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.