Bug 438189 - SELinux is preventing the modprobe from using potentially mislabeled files (/tmp/iptables.DJg2FA).
SELinux is preventing the modprobe from using potentially mislabeled files (/...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-19 12:31 EDT by Matěj Cepl
Modified: 2008-03-20 12:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-20 12:36:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Script to generate iptables (2.31 KB, application/x-shellscript)
2008-03-19 18:49 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-03-19 12:31:41 EDT
Description of problem:


Summary:

SELinux is preventing the modprobe from using potentially mislabeled files
(/tmp/iptables.DJg2FA).

Detailed Description:

SELinux has denied modprobe access to potentially mislabeled file(s)
(/tmp/iptables.DJg2FA). This means that SELinux will not allow modprobe to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want modprobe to access this files, you need to relabel them using
restorecon -v '/tmp/iptables.DJg2FA'. You might want to relabel the entire
directory using restorecon -R -v '/tmp'.

Additional Information:

Source Context                unconfined_u:system_r:insmod_t
Target Context                unconfined_u:object_r:initrc_tmp_t
Target Objects                /tmp/iptables.DJg2FA [ file ]
Source                        modprobe
Source Path                   /sbin/modprobe
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           module-init-tools-3.4-2.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-17.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz
                              2.6.25-0.121.rc5.git4.fc9 #1 SMP Fri Mar 14
                              22:50:25 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 17 Mar 2008 17:58:03 CET
Last Seen                     Mon 17 Mar 2008 17:58:03 CET
Local ID                      80579923-7317-4d4a-9622-92f6b4fe6435
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1205773083.373:640): avc:  denied  {
write } for  pid=18726 comm="modprobe" path="/tmp/iptables.DJg2FA" dev=dm-1
ino=65587 scontext=unconfined_u:system_r:insmod_t:s0
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file

host=hubmaier.ceplovi.cz type=AVC msg=audit(1205773083.373:640): avc:  denied  {
read } for  pid=18726 comm="modprobe" path="/proc/18725/net/ip_tables_names"
dev=proc ino=4026532219 scontext=unconfined_u:system_r:insmod_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file

host=hubmaier.ceplovi.cz type=AVC msg=audit(1205773083.373:640): avc:  denied  {
read write } for  pid=18726 comm="modprobe" path="socket:[261495]" dev=sockfs
ino=261495 scontext=unconfined_u:system_r:insmod_t:s0
tcontext=unconfined_u:system_r:iptables_t:s0 tclass=rawip_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1205773083.373:640):
arch=c000003e syscall=59 success=yes exit=0 a0=d17f70 a1=7fff032797d0
a2=7fff0327a098 a3=7ff8fb25b810 items=0 ppid=18725 pid=18726 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11
comm="modprobe" exe="/sbin/modprobe" subj=unconfined_u:system_r:insmod_t:s0
key=(null)

Version-Release number of selected component (if applicable):
iptables-1.4.0-3.fc9.x86_64
module-init-tools-3.4-2.fc8.x86_64
selinux-policy-targeted-3.3.1-17.fc9.noarch
Comment 1 Thomas Woerner 2008-03-19 12:39:44 EDT
Why are you using a file in /tmp with iptables? What kind of file is
/tmp/iptables.DJg2FA?
Comment 2 Daniel Walsh 2008-03-19 14:17:55 EDT
Also looks like iptables is leaking file descriptor to
/proc/18725/net/ip_tables_names and rawip_socket

fcntl(fd, F_SETFD, FD_CLOSEXEC)
Comment 3 Matěj Cepl 2008-03-19 15:48:58 EDT
(In reply to comment #1)
> Why are you using a file in /tmp with iptables? What kind of file is
> /tmp/iptables.DJg2FA?

I am sorry, but I have no idea, what kind of file it is. And now it is gone, so
I cannot even take a look at it.
Comment 4 Daniel Walsh 2008-03-19 16:21:32 EDT
I think it is also a leaked file descriptor or a redirection of stdout to a log
file in /tmp.

Are you using some tool to configure iptables that could be causing this error?
Comment 5 Matěj Cepl 2008-03-19 18:49:34 EDT
Created attachment 298605 [details]
Script to generate iptables

(In reply to comment #4)
> Are you using some tool to configure iptables that could be causing this
error?

No, just this script
Comment 6 Daniel Walsh 2008-03-20 09:27:52 EDT
But do you have this script directing output to a /tmp file?
Comment 7 Thomas Woerner 2008-03-20 09:49:46 EDT
"service iptables save" is writing to a temporary file in /tmp, which will be
copied to /etc/sysconfig/iptables after successful generation before it gets
removed. The file in /tmp is only used for this.
Comment 8 Daniel Walsh 2008-03-20 12:08:49 EDT
So this is a redirection of stdout for modutils to the tmp file.  I will allow
this in selinux-policy-3.3.1-22.fc9.src.rpm

Leaked file descriptor should be fixed.
Comment 9 Thomas Woerner 2008-03-20 12:36:45 EDT
You do not need to change selinux-policy. Using O_CLOEXEC on all opened files is
solving the problem for me completely.

Fixed in rawhide in package iptables-1.4.0-4.fc9.

Note You need to log in before you can comment on or make changes to this bug.