Bug 426658 - SELinux prevents ifconfig from accessing socket
SELinux prevents ifconfig from accessing socket
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-23 18:34 EST by condor
Modified: 2008-08-06 16:01 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-06 16:01:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description condor 2007-12-23 18:34:59 EST
Exact version numbers are net-tools-1.60-84.fc8, selinux-policy-3.0.8-44.fc8.
The socket is described as "socket [ unix_stream_socket ]". Platform
information: "2.6.23.1-42.fc8 #1 SMP".

The raw audit message is

avc: denied { read write } for comm=ifconfig dev=sockfs egid=0 euid=0
exe=/sbin/ifconfig exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=socket:[153815]
pid=10618 scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=unix_stream_socket
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0


Sorry, just found it in the logs - no clue how to reproduce. Hope you can though
turn it to account.
Comment 1 condor 2007-12-24 04:08:44 EST
Okay, I can always reproduce the error by just connecting to my wireless network
via the "Wireless Assistant 0.5.7". It goes along with denials for dhclient,
dhclient-script, consoletype, gawk and restorecon.
Comment 2 Daniel Walsh 2008-01-03 09:45:24 EST
This looks like a leaked file descriptor in wireless assistant.  Please make
sure all open file descriptors are closed on exec.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Comment 3 Tom "spot" Callaway 2008-01-03 10:12:43 EST
Dan, I'm pretty sure wlassistant is doing this correctly. The only file
descriptors being opened are in src/watools.cpp, and this is what the code looks
like:

        int flags;
        flags = fcntl(iw_socket, F_GETFD);
        if (flags == -1)
                return 0;
        flags |= FD_CLOEXEC;
        if (fcntl(iw_socket, F_SETFD, flags) == -1)
                return 0;
        if (iw_socket<0)
                return 0;

Unless that first fcntl call also needs an FD_CLOEXEC, I'm not sure where we'd
be leaking.
Comment 4 Daniel Walsh 2008-01-04 09:13:07 EST
What version of wlassistant are you running?

Please yum upgrade your system to the latest selinux policy and wlassistant.
Comment 5 condor 2008-01-04 09:34:58 EST
yum didn't upgrade wlassistant or selinux policies. Version number is still
wlassistant 0.5.7.
Comment 6 Daniel Walsh 2008-01-04 10:41:47 EST
What is the rpm version?

rpm -q selinux-policy wlassistant

I know there are newer version of selinux-policy then selinux-policy-3.0.8-44.fc8.
Comment 7 condor 2008-01-04 12:31:32 EST
Those are selinux-policy-3.0.8-72.fc8 and wlassistant-0.5.7-4.fc8.
Comment 8 Daniel Walsh 2008-01-04 15:33:28 EST
Could you use lsof to see what is listening on this daemon
socket:[153815]

To see if wlassistant is the problem. 

BTW this is not a problem from a security point of view.  SELinux is closing the
descriptor, when it execs other apps.  Just an annoyance.
Comment 9 condor 2008-01-04 20:00:51 EST
Okay. I saw that the audit message above isn't the only one generated on
connect. I'll post from the audit.log:

type=AVC msg=audit(1199494649.269:42): avc:  denied  { write } for  pid=4336
comm="dhclient" path="socket:[36634]" dev=sockfs ino=36634
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0
tclass=unix_stream_socket
type=AVC msg=audit(1199494649.353:43): avc:  denied  { ioctl } for  pid=4337
comm="dhclient-script" path="socket:[36631]" dev=sockfs ino=36631
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0
tclass=unix_stream_socket
type=AVC msg=audit(1199494649.362:44): avc:  denied  { read write } for 
pid=4339 comm="consoletype" path="socket:[36631]" dev=sockfs ino=36631
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1199494649.364:45): avc:  denied  { getattr } for  pid=4339
comm="consoletype" path="socket:[36631]" dev=sockfs ino=36631
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1199494649.365:46): avc:  denied  { ioctl } for  pid=4339
comm="consoletype" path="socket:[36631]" dev=sockfs ino=36631
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1199494649.398:47): avc:  denied  { getattr } for  pid=4351
comm="awk" path="socket:[36634]" dev=sockfs ino=36634
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0
tclass=unix_stream_socket
type=AVC msg=audit(1199494649.418:48): avc:  denied  { read write } for 
pid=4371 comm="restorecon" path="socket:[36631]" dev=sockfs ino=36631
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1199494649.582:49): avc:  denied  { read write } for 
pid=4374 comm="ifconfig" path="socket:[36631]" dev=sockfs ino=36631
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1199494653.204:50): avc:  denied  { read } for  pid=4382
comm="dhclient" path="socket:[36772]" dev=sockfs ino=36772
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:unconfined_t:s0
tclass=unix_stream_socket

The sockets opened by wlassistant BEFORE connection are:

wlassista 3497      root    3u     unix 0xdd12d1c0               23034 socket
wlassista 3497      root    8u     unix 0xd8671000               23126 socket

And after the connection:

wlassista 3497      root    3u     unix 0xdd12d1c0               23034 socket
wlassista 3497      root    8u     unix 0xd8671000               23126 socket
wlassista 3497      root   11u     unix 0xdcceac40               36705 socket
wlassista 3497      root   12u     unix 0xdccea1c0               36706 socket
wlassista 3497      root   14u     unix 0xdee8ca80               36708 socket
wlassista 3497      root   18u     unix 0xdd3d1700               36638 socket
wlassista 3497      root   19u     unix 0xdd3d1c40               36639 socket


Sorry (by the way) for mentioning those other audit messages so late... :( Must
have been late when I reported the bug...
Comment 10 condor 2008-01-04 20:04:42 EST
Ah, just in case you want to know. Looked for the sockets reported in those
audit messages. (36631, 36634 and 36772, as far as I see.) I can only find

dhclient  4466      root   10u     unix 0xf73191c0               36772 socket
Comment 11 Daniel Walsh 2008-01-08 14:44:42 EST
Well it is definitely a leaked file descriptor. Looks like dhclient might be the
culpret.
Comment 12 David Cantrell 2008-08-06 16:01:19 EDT
Not seeing this anymore in F-9 or rawhide.

Note You need to log in before you can comment on or make changes to this bug.