Bug 394431 - SELinux is preventing /sbin/ifconfig (ifconfig_t) "read write" to socket (apmd_t).
SELinux is preventing /sbin/ifconfig (ifconfig_t) "read write" to socket (apm...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: acpid (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Zdenek Prikryl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-21 10:54 EST by Stefan Becker
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-23 09:21:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ACPI WLAN enable/disable event script (651 bytes, text/plain)
2007-11-22 10:11 EST, Stefan Becker
no flags Details

  None (edit)
Description Stefan Becker 2007-11-21 10:54:11 EST
Description of problem:

Every time I enable/disable my wireless network hardware this SELinux message
pops up.

Version-Release number of selected component (if applicable):

selinux-policy-3.0.8-56.fc8
NetworkManager-glib-0.7.0-0.5.svn3030.fc8
NetworkManager-0.7.0-0.5.svn3030.fc8
NetworkManager-gnome-0.7.0-0.5.svn3030.fc8
selinux-policy-devel-3.0.8-56.fc8
selinux-policy-targeted-3.0.8-56.fc8
net-tools-1.60-84.fc8
initscripts-8.60-1

How reproducible: Always

Steps to Reproduce:
1. Enable/Disable WLAN interface
2.
3.
  
Actual results:

setroublshoot output:

Summary

SELinux is preventing /sbin/ifconfig (ifconfig_t) "read write" to socket (apmd_t).

Detailed Description

SELinux denied access requested by /sbin/ifconfig. It is not expected that this
access is required by /sbin/ifconfig and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access

You can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:ifconfig_t:s0
Target Context:  system_u:system_r:apmd_t:s0-s0:c0.c1023
Target Objects:  socket [ unix_stream_socket ]
Affected RPM Packages:  net-tools-1.60-84.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-56.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  [REMOVED]
Platform:  Linux [REMOVED] 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007
i686 i686
Alert Count:  29
First Seen:  Sat 17 Nov 2007 06:42:38 PM EET
Last Seen:  Wed 21 Nov 2007 05:34:41 PM EET
Local ID:  531c1d3f-8df8-4e97-a37d-8500e3300074
Line Numbers:  
Raw Audit Messages :

avc: denied { read write } for comm=ifconfig dev=sockfs egid=0 euid=0
exe=/sbin/ifconfig exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=socket:[74658]
pid=14691 scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=unix_stream_socket
context=system_u:system_r:apmd_t:s0-s0:c0.c1023 tty=(none) uid=0

Expected results:

No alert

Additional info:

This seems to be only a warning message. The function of the network interface
seems not to be affected by it.

I'm wondering about the "apmd_t". There is no APM BIOS on this system and
therefore APM is disabled by the kernel:

$ dmesg | fgrep apm
apm: BIOS not found.
Comment 1 Daniel Walsh 2007-11-21 14:18:44 EST
This looks like a leaked file descriptor in /usr/sbin/acpid

All open file descriptors should be closed on exec

fcntl(fd, F_SETFD, F_CLOEXEC)

Comment 2 Stefan Becker 2007-11-22 10:11:15 EST
Created attachment 267051 [details]
ACPI WLAN enable/disable event script

Ahh, that could explain it: on this system (Lenovo T60) I enable/disable WLAN
with the RF kill switch that generates an ACPI event:

$ cat /etc/acpi/events/ibm-wireless.conf
# User has changed rfkill switch -> cycle device/driver
event=ibm/hotkey.HKEY.*.0007000
action=/home/stefanb/laptop/wlan/ibm-wireless.sh

example log from /var/log/message:

Nov 22 16:44:38 l3f1199 acpid: received event "ibm/hotkey HKEY 00000080
00007000"
Nov 22 16:44:38 l3f1199 acpid: notifying client 1865[68:68]
Nov 22 16:44:38 l3f1199 acpid: notifying client 2000[0:0]
Nov 22 16:44:38 l3f1199 acpid: executing action
"/home/stefanb/laptop/wlan/ibm-wireless.sh"
Nov 22 16:44:41 l3f1199 acpid: action exited with status 0

I've attached the script, nothing fancy there.

Maybe this SELinux warning is generated, because ifconfig wants to print
something to STDOUT/STDERR which are owned by the parent acpid process?
Comment 3 Stefan Becker 2007-11-22 10:12:30 EST
Dan: does comment #2 shed some light on this? Does the script do something illegal?
Comment 4 Zdenek Prikryl 2007-11-22 10:46:08 EST
Hello,
I'm not sure, but I think that SELinux might assume, that some intruder are
trying to shut down interface, because the script is executed with wrong rights
in wrong context.

Anyway, your script isn't part of official package, so I don't create or append
module to selinux-policy-targeted, but I'll try to find out, why is SELinux angry.

If you'll find something, please, let me know.
Thanks

Zdenek
Comment 5 Stefan Becker 2007-11-22 15:07:46 EST
Would it help to "chcon" the script to a context that acpid is allowed to
execute? What security context should acpid action/event scripts have? The
examples from the acpid package have:

-rw-r--r-- 1 system_u:object_r:etc_t:s0       root root  233 2007-10-23 19:12
power.conf
-rw-r--r-- 1 system_u:object_r:etc_t:s0       root root  236 2007-10-23 19:12
video.conf
Comment 6 Stefan Becker 2007-11-23 08:42:35 EST
I now copied the script to

# ls --lcontext /etc/acpi/actions/
-rwxr-xr-x 1 system_u:object_r:etc_t:s0       root root 651 2007-11-23 15:32
ibm-wireless.sh

and updated the acpid. Still the same SELinux warning. So that didn't help.

I also changed the ifconfig line in the script to

  ifconfig >/dev/null 2>&1 $device down

and that also didn't help.

So the gist of the problem seems to be that you can't run "ifconfig" in the
security context of acpid.
Comment 7 Zdenek Prikryl 2007-11-23 09:21:42 EST
I found a bug in a control of sockets. A script/ifconfig inherits all open file
descriptors including file descriptors form sockets. So that is the reason why
SELinux complaints. Those file descriptor shouldn't be inherited. I fixed it in
the rawhide and it will be in F8 repo soon.

Zdenek
Comment 8 Stefan Becker 2007-11-24 05:37:19 EST
Retested with acpid-1.0.6-4.fc8 from koji: no more SELinux warnings.

Thanks!
Comment 9 Fedora Update System 2007-11-26 13:53:38 EST
acpid-1.0.6-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.