Bug 250701 - SELinux preventing use of 'ping'
Summary: SELinux preventing use of 'ping'
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-03 01:11 UTC by Gerry Reno
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-12 17:07:51 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Gerry Reno 2007-08-03 01:11:40 UTC
Description of problem:
Recently I've been noticing things like this in my system log:

Aug 2 19:26:50 grp-01-00-51 setroubleshoot: SELinux is preventing /bin/ping
(ping_t) "node_bind" to <Unknown> (node_t). For complete SELinux messages. run
sealert -l d61ac476-5b30-4bdd-a157-ae782318d717

Some of my startup scripts call 'ping' to check on various services. Now these
are not running.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use ping in any /etc/init.d sourced script
Actual results:
avc denial

Expected results:
access permitted and ping works

Additional info:

# sealert -l d61ac476-5b30-4bdd-a157-ae782318d717
SELinux is preventing /bin/ping (ping_t) "node_bind" to <Unknown> (node_t).

Detailed Description
SELinux denied access requested by /bin/ping. It is not expected that this
access is required by /bin/ping and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.

Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selin...-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.

Additional Information

Source Context system_u:system_ring_t
Target Context system_u:object_r:node_t
Target Objects None [ rawip_socket ]
Affected RPM Packages iputils-20070202-3.fc7 [application]
Policy RPM selinux-policy-2.6.4-23.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name grp-01-00-51
Platform Linux grp-01-00-51 2.6.21-1.3228.fc7 #1 SMP Tue
Jun 12 15:37:31 EDT 2007 i686 athlon
Alert Count 1
First Seen Thu Aug 2 19:26:48 2007
Last Seen Thu Aug 2 19:26:48 2007
Local ID d61ac476-5b30-4bdd-a157-ae782318d717
Line Numbers

Raw Audit Messages

avc: denied { node_bind } for comm="ping" egid=0 euid=0 exe="/bin/ping" exit=-13
fsgid=0 fsuid=0 gid=0 items=0 pid=2296 saddr=
scontext=system_u:system_ring_t:s0 sgid=0 subj=system_u:system_ring_t:s0
suid=0 tclass=rawip_socket tcontext=system_u:object_r:node_t:s0 tty=(none) uid=0

Comment 1 Gerry Reno 2007-08-03 01:37:12 UTC
More specifically, the 'ping' command that caused this particular avc denial was
located inside of a keepalived 'notify' script.

Comment 2 Gerry Reno 2007-08-03 02:27:03 UTC
Further investigation reveals that it is a specific type of 'ping' that is failing.

Regular ping:
ping -w 1   # this succeeds

Alternate interface ping:
ping -w 1 -I   # this fails with avc denial

Here are the interfaces:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:a7:c7:33 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
    inet scope global secondary eth0
    inet6 fe80::20c:29ff:fea7:c733/64 scope link 
       valid_lft forever preferred_lft forever

Comment 3 Gerry Reno 2007-08-03 02:28:59 UTC
The alternate interface ping will succeed from the regular command line.  But it
fails when run inside a keepalived 'notify' script.

Comment 4 Daniel Walsh 2007-08-03 13:45:53 UTC
Fixed in selinux-policy-2.6.4-32

Comment 5 Daniel Walsh 2007-09-12 17:07:51 UTC
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.