Bug 250031 - SELinux is preventing bridging interfaces from working
SELinux is preventing bridging interfaces from working
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-29 16:15 EDT by Jonathan Steffan
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:10:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jonathan Steffan 2007-07-29 16:15:54 EDT
Description of problem:
SELinux causes my bridge to not function.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-28.fc7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Configure a bridge, and one member (bro0 and eth0)
2. /sbin/service network restart (or start)
3. "Bridging not supported in this kernel..."
  
Actual results:
Bridge does not work.

Expected results:
Bridge works.

Additional info:

type=SYSCALL msg=audit(1185492687.966:15): arch=c000003e syscall=6 success=no
exit=-13 a0=7fff1200cb00 a1=7fff1200ca60 a2=7fff1200ca60 a3=3d items=0 ppid=2407
pid=2412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:brctl_t:s0
key=(null)

type=AVC msg=audit(1185701591.292:15): avc:  denied  { search } for  pid=2395
comm="brctl" name="/" dev=sysfs ino=1 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

This might not be everything. If the network is started in permissive mode, you
can then go back into enforcing mode.

setenforce 0 && service network restart && setenforce 1
Comment 1 Jonathan Steffan 2007-07-29 16:17:13 EDT
audit(1185702004.840:4): avc:  denied  { search } for  pid=1974 comm="brctl"
name="/" dev=sysfs ino=1 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Bridge firewalling registered
audit(1185702004.863:5): avc:  denied  { search } for  pid=1980 comm="brctl"
name="/" dev=sysfs ino=1 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
audit(1185702004.863:6): avc:  denied  { search } for  pid=1980 comm="brctl"
name="net" dev=sysfs ino=1261 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
kobject_add failed for br0 (-13)

Call Trace:
 [<ffffffff81112e72>] kobject_shadow_add+0x16c/0x1a0
 [<ffffffff81184548>] device_add+0xb6/0x611
 [<ffffffff81112eef>] kobject_init+0x39/0x4c
 [<ffffffff811de8eb>] register_netdevice+0x234/0x2fc
 [<ffffffff88b4974b>] :bridge:br_add_bridge+0x166/0x18d
 [<ffffffff88b4a328>] :bridge:br_ioctl_deviceless_stub+0x1b8/0x1e0
 [<ffffffff811d2f8e>] sock_ioctl+0x11b/0x1e5
 [<ffffffff8109e837>] do_ioctl+0x2b/0xb6
 [<ffffffff8109eb05>] vfs_ioctl+0x243/0x25c
 [<ffffffff8109eb77>] sys_ioctl+0x59/0x7a
 [<ffffffff81009b5e>] system_call+0x7e/0x83

audit(1185702004.864:7): avc:  denied  { search } for  pid=1980 comm="brctl"
name="net" dev=sysfs ino=1261 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
kobject_add failed for br0 (-13)

Call Trace:
 [<ffffffff81112e72>] kobject_shadow_add+0x16c/0x1a0
 [<ffffffff81184548>] device_add+0xb6/0x611
 [<ffffffff81112eef>] kobject_init+0x39/0x4c
 [<ffffffff811de8eb>] register_netdevice+0x234/0x2fc
 [<ffffffff88b4974b>] :bridge:br_add_bridge+0x166/0x18d
 [<ffffffff88b4a328>] :bridge:br_ioctl_deviceless_stub+0x1b8/0x1e0
 [<ffffffff811d2f8e>] sock_ioctl+0x11b/0x1e5
 [<ffffffff8109e837>] do_ioctl+0x2b/0xb6
 [<ffffffff8109eb05>] vfs_ioctl+0x243/0x25c
 [<ffffffff8109eb77>] sys_ioctl+0x59/0x7a
 [<ffffffff81009b5e>] system_call+0x7e/0x83

audit(1185702004.865:8): avc:  denied  { search } for  pid=1982 comm="brctl"
name="/" dev=sysfs ino=1 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Comment 2 Daniel Walsh 2007-07-30 09:48:58 EDT
Fixed in selinux-policy-2.6.4-30
Comment 3 Daniel Walsh 2007-08-22 10:10:50 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.