Bug 288951 - SELinux is preventing the /bin/netstat from using potentially mislabeled
SELinux is preventing the /bin/netstat from using potentially mislabeled
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: smartcard-login (Show other bugs)
5.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Kai Engert (:kaie) (on vacation)
desktop-bugs@redhat.com
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-13 04:20 EDT by manoj
Modified: 2008-07-10 16:20 EDT (History)
3 users (show)

See Also:
Fixed In Version: nss-3.11.7-1.3.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 19:38:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description manoj 2007-09-13 04:20:58 EDT
How reproducible:

On a Enterprise RHEL5 Server with SELinux policy targeted(21) enabled in
enforcing mode when I start/stop/restart httpd (/etc/init.d/httpd start/stop)
I get the below alert.
  
Actual results:
Summary
    SELinux is preventing the /bin/netstat from using potentially mislabeled
    files net (proc_net_t).

Detailed Description
    SELinux has denied the /bin/netstat access to potentially mislabeled files
    net.  This means that SELinux will not allow http to use these files.  Many
    third party apps install html files in directories that SELinux policy can
    not predict.  These directories have to be labeled with a file context
which
    httpd can accesss.

Allowing Access
    If you want to change the file context of net so that the httpd daemon can
    access it, you need to execute it using chcon -t httpd_sys_content_t.net.
    You can look at the httpd_selinux man page for additional information.

Additional Information        

Source Context                root:system_r:httpd_t
Target Context                system_u:object_r:proc_net_t
Target Objects                net [ dir ]
Affected RPM Packages         net-tools-1.60-73 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.httpd_bad_labels
Host Name                     Rhel5.test.com
Platform                      Linux Rhel5.test.com 2.6.18-8.el5 #1 SMP Fri Jan
                              26 14:15:14 EST 2007 x86_64 x86_64
Alert Count                   1
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="netstat" dev=proc egid=0 euid=0
exe="/bin/netstat" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=9529
scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0
tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0


Additional info:
Comment 1 Daniel Walsh 2007-09-13 12:36:28 EDT
Are you using mod_nss?  This is a know problem with it execing netstat.  you can
add this policy by executing

# grep netstat /var/log/audit/audit.log | audit2allow mynss
# semodule -i mynss.pp

The nss libraries do not need to execute netstat.
Comment 2 manoj 2007-09-18 02:16:49 EDT
nss module is present by default in RHEL5.

Comment 3 Rob Crittenden 2007-09-18 09:28:09 EDT
This is an issue with NSS, not with mod_nss. NSS uses a variety of methods to
seed the random number generator on init. One option is to take as input the
output of netstat -ni. There is nothing in mod_nss I can do to address this.

It looks like the NSS builds 3.11.7-* include a patch to disable running netstat.
Comment 4 Kai Engert (:kaie) (on vacation) 2007-09-18 20:53:29 EDT
Yes, the version of NSS that will ship with a next round of updates will no
longer execute netstat, in order to work around a different problem. But the use
of netstat might get re-enabled at a later time.

Should the targeted policy get changed to allow this?

Manoj, are you able to test the workaround suggested by Dan in comment 1?
Comment 5 manoj 2007-09-18 23:28:13 EDT
Yes after adding policy using audit2allow as suggested by Daniel in comment 1
this alert is not generated.
Comment 6 manoj 2007-09-19 07:19:05 EDT
I didn't found any problem of working of WebServer when i'm getting this SELinux
alert. Just wanted to know is this bug going to hamper the working of apache in
anyways or is it just a noise. 
Comment 7 manoj 2007-09-21 07:12:55 EDT
Any updates for my previous query(comment6)
Comment 8 Kai Engert (:kaie) (on vacation) 2007-09-21 11:06:07 EDT
Operating your webserver should not be affected.

Allowing the execution of /bin/netstat will increase the amount of random data
collected by the cryptographic library.
Comment 9 Kai Engert (:kaie) (on vacation) 2008-04-01 17:16:19 EDT
I propose to resolve this bug.
With NSS package versions 3.11.7-1.1 and higher we no longer execute netstat at all.

Can you confirm?
Thanks a lot.
Comment 10 Kai Engert (:kaie) (on vacation) 2008-05-06 19:38:32 EDT
As proposed 5 weeks ago, I'm now resolving this bug as fixed. Inspecting the
changelog tells me, this should have been fixed since RHEL 5.1, in package
versions nss-3.11.7-1.3.el5 and later.

Adding the policy rule proposed by Dan to selinux is optional.

Note You need to log in before you can comment on or make changes to this bug.