Description of problem: Recently I've been noticing things like this in my system log: Aug 2 19:26:50 grp-01-00-51 setroubleshoot: SELinux is preventing /bin/ping (ping_t) "node_bind" to <Unknown> (node_t). For complete SELinux messages. run sealert -l d61ac476-5b30-4bdd-a157-ae782318d717 Some of my startup scripts call 'ping' to check on various services. Now these are not running. Version-Release number of selected component (if applicable): selinux-policy-2.6.4-23.fc7 How reproducible: always Steps to Reproduce: 1. use ping in any /etc/init.d sourced script 2. 3. Actual results: avc denial Expected results: access permitted and ping works Additional info: # sealert -l d61ac476-5b30-4bdd-a157-ae782318d717 Summary SELinux is preventing /bin/ping (ping_t) "node_bind" to <Unknown> (node_t). Detailed Description SELinux denied access requested by /bin/ping. It is not expected that this access is required by /bin/ping and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selin...-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_ring_t Target Context system_u:object_r:node_t Target Objects None [ rawip_socket ] Affected RPM Packages iputils-20070202-3.fc7 [application] Policy RPM selinux-policy-2.6.4-23.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name grp-01-00-51 Platform Linux grp-01-00-51 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 1 First Seen Thu Aug 2 19:26:48 2007 Last Seen Thu Aug 2 19:26:48 2007 Local ID d61ac476-5b30-4bdd-a157-ae782318d717 Line Numbers Raw Audit Messages avc: denied { node_bind } for comm="ping" egid=0 euid=0 exe="/bin/ping" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2296 saddr=192.168.1.240 scontext=system_u:system_ring_t:s0 sgid=0 subj=system_u:system_ring_t:s0 suid=0 tclass=rawip_socket tcontext=system_u:object_r:node_t:s0 tty=(none) uid=0
More specifically, the 'ping' command that caused this particular avc denial was located inside of a keepalived 'notify' script.
Further investigation reveals that it is a specific type of 'ping' that is failing. Regular ping: ping -w 1 192.168.1.1 # this succeeds Alternate interface ping: ping -w 1 -I 192.168.1.240 192.168.1.1 # this fails with avc denial Here are the interfaces: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:a7:c7:33 brd ff:ff:ff:ff:ff:ff inet 192.168.1.150/24 brd 192.168.1.255 scope global eth0 inet 192.168.1.240/24 scope global secondary eth0 inet6 fe80::20c:29ff:fea7:c733/64 scope link valid_lft forever preferred_lft forever
The alternate interface ping will succeed from the regular command line. But it fails when run inside a keepalived 'notify' script.
Fixed in selinux-policy-2.6.4-32
Moving modified bugs to closed