Bug 452765 - SELinux is preventing iptables (iptables_t) "read write" to /proc/xen/privcmd
SELinux is preventing iptables (iptables_t) "read write" to /proc/xen/privcmd
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen (Show other bugs)
5.2
All Linux
low Severity low
: rc
: 5.6
Assigned To: Xen Maintainance List
Virtualization Bugs
:
Depends On:
Blocks: 514500
  Show dependency treegraph
 
Reported: 2008-06-24 17:33 EDT by Martin Jürgens
Modified: 2010-10-20 07:15 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-20 07:15:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Jürgens 2008-06-24 17:33:00 EDT
Description of problem:
I have a Xen guest running. Sometimes, this SELinux warning appears:


Quellkontext                  system_u:system_r:iptables_t
Zielkontext                   system_u:object_r:proc_xen_t
Zielobjekte                   /proc/xen/privcmd [ file ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unbekannt>
Host                          85-10-1xx-51.clients.your-server.de
Source RPM Packages           iptables-1.3.5-4.el5
Target RPM Packages           
RPM-Richtlinie                selinux-policy-2.4.6-137.el5
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   catchall_file
Hostname                      85-10-1xx-51.clients.your-server.de
Plattform                     Linux 85-10-1xx-51.clients.your-server.de
                              2.6.18-92.1.1.el5xen #1 SMP Sat Jun 21 19:21:20
                              EDT 2008 x86_64 x86_64
Anzahl der Alarme             62
Zuerst gesehen                Di 24 Jun 2008 18:03:49 CEST
Zuletzt gesehen               Di 24 Jun 2008 23:29:05 CEST
Lokale ID                     1c22a36f-58ad-4a29-9a94-c7e01f11d8e6
Zeilennummern                 

Raw-Audit-Meldungen           

host=85-10-1xx-51.clients.your-server.de type=AVC msg=audit(1214342945.590:153):
avc:  denied  { read write } for  pid=8880 comm="iptables"
path="/proc/xen/privcmd" dev=proc ino=4026533346
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:proc_xen_t:s0 tclass=file

host=85-10-1xx-51.clients.your-server.de type=AVC msg=audit(1214342945.590:153):
avc:  denied  { read write } for  pid=8880 comm="iptables"
path="/proc/xen/privcmd" dev=proc ino=4026533346
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:proc_xen_t:s0 tclass=file

host=85-10-1xx-51.clients.your-server.de type=SYSCALL
msg=audit(1214342945.590:153): arch=c000003e syscall=59 success=yes exit=0
a0=2e7c170 a1=2e7bd90 a2=7fffe86c0440 a3=0 items=0 ppid=2307 pid=8880
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables"
subj=system_u:system_r:iptables_t:s0 key=(null)
Comment 1 Subhendu Ghosh 2009-03-25 12:23:06 EDT
Reassigning to selinux-policy-targeted
Comment 2 Daniel Walsh 2009-03-25 12:56:43 EDT
This is not a selinux-policy  problem

This is a leaked file descriptor in xen.  iptables is not looking at /proc/xen/privcmd,  xend is and is leaking this when it executes iptables.

It should close fd's when it executes other apps.

fcntl(fd, F_SETFD, FD_CLOEXEC);

Martin 

You can write custom policy to make this error disappear by executing 

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp
Comment 4 Miroslav Rezanina 2010-10-20 03:28:35 EDT
Hi Martin,
can you write down some situation when message apperas? I'm not able to reproduce it.
Comment 5 Martin Jürgens 2010-10-20 06:32:10 EDT
sorry. cant remember. using kvm now :(
Comment 6 Miroslav Rezanina 2010-10-20 07:15:40 EDT
As there's no know scenario for this problem closing this bz. If you reproduce it feel free to reopen it.

Note You need to log in before you can comment on or make changes to this bug.