Bug 355521 - ping6 policy does not allow creating netlink socket
ping6 policy does not allow creating netlink socket
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-27 19:04 EDT by Ulrich Drepper
Modified: 2008-01-30 14:18 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:18:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC as reported in setroubleshhot browser (1.82 KB, application/octet-stream)
2007-10-27 19:04 EDT, Ulrich Drepper
no flags Details

  None (edit)
Description Ulrich Drepper 2007-10-27 19:04:15 EDT
Description of problem:
The ping6 binary is not allowed to create a netlink socket for routing.  See the
attached report.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-33.fc8

How reproducible:
always

Steps to Reproduce:
1.use ping6 with hostname which has an IPv6 address
2.
3.
  
Actual results:
Attached AVC

Expected results:
No AVC.

Additional info:
Comment 1 Ulrich Drepper 2007-10-27 19:04:15 EDT
Created attachment 240761 [details]
AVC as reported in setroubleshhot browser
Comment 2 Daniel Walsh 2007-10-29 22:40:10 EDT
Fixed in selinux-policy-3.0.8-40.fc8
Comment 3 Pekka Savola 2007-11-15 02:45:54 EST
This fix doesn't appear to be complete or doesn't work, because with -44.fc8 I
get the following (this is about "create" but I also get alerts for "bind",
"write" and "read"):

Summary
    SELinux is preventing /bin/ping6 (ping_t) "create" to <Unknown> (ping_t).

Detailed Description
    SELinux denied access requested by /bin/ping6. It is not expected that this
    access is required by /bin/ping6 and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information

Source Context                system_u:system_r:ping_t
Target Context                system_u:system_r:ping_t
Target Objects                None [ netlink_route_socket ]
Affected RPM Packages         iputils-20070202-5.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     home
Platform                      Linux home 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
                              13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Sun 11 Nov 2007 05:28:42 PM EET
Last Seen                     Sun 11 Nov 2007 05:28:42 PM EET
Local ID                      b05e7345-144f-4a5c-b260-cb6883b57e5c
Line Numbers

Raw Audit Messages

avc: denied { create } for comm=ping6 egid=500 euid=500 exe=/bin/ping6 exit=4
fsgid=500 fsuid=500 gid=500 items=0 pid=23618
scontext=system_u:system_r:ping_t:s0 sgid=500 subj=system_u:system_r:ping_t:s0
suid=500 tclass=netlink_route_socket tcontext=system_u:system_r:ping_t:s0
tty=pts2 uid=500
Comment 4 Daniel Walsh 2007-11-15 10:18:17 EST
Could you try selinux-policy-3.0.8-47.fc8 or later.
Comment 5 Daniel Walsh 2008-01-30 14:18:29 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.