This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 454874 - `iproute monitor` triggers AVC denial
`iproute monitor` triggers AVC denial
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-10 10:03 EDT by Vasile Gaburici
Modified: 2008-07-17 08:43 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-17 08:43:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vasile Gaburici 2008-07-10 10:03:27 EDT
Description of problem:
I run `iproute monitor link route` from a 3rd party script. This triggers AVC
denials like:

SELinux is preventing ip (ifconfig_t) "read write" to socket (initrc_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:ifconfig_t:s0
Target Context                system_u:system_r:initrc_t:s0
Target Objects                socket [ unix_dgram_socket ]
Source                        ip
Source Path                   /sbin/ip
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           iproute-2.6.25-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-74.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.9-76.fc9.i686
                              #1 SMP Fri Jun 27 16:14:35 EDT 2008 i686 athlon
Alert Count                   290
First Seen                    Wed 11 Jun 2008 08:55:38 AM EEST
Last Seen                     Thu 10 Jul 2008 04:46:21 PM EEST
Local ID                      31befb0d-228e-4d96-b76a-28dd908da12a
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1215697581.100:886): avc:  denied
 { read write } for  pid=7029 comm="ip" path="socket:[8326]" dev=sockfs ino=8326
scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_dgram_socket

host=localhost.localdomain type=SYSCALL msg=audit(1215697581.100:886):
arch=40000003 syscall=11 success=yes exit=0 a0=9caff38 a1=9cb01b8 a2=9caf398
a3=0 items=0 ppid=7028 pid=7029 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip"
subj=system_u:system_r:ifconfig_t:s0 key=(null)

Version-Release number of selected component (if applicable):
See AVC message.

How reproducible:
Always.

Steps to Reproduce:
1. run `iproute monitor link route`
  
Actual results:
AVC denials.

Expected results:
No AVC denials since 'monitor' is a useful feature of iproute.

Additional info:
Fix by adding this to the policy
allow ifconfig_t initrc_t:unix_dgram_socket { read write };
Comment 1 Marcela Mašláňová 2008-07-17 05:58:29 EDT
I can't reproduce unknown 3rd party script.

The policy should be fixed in selinux-policy.
Comment 2 Vasile Gaburici 2008-07-17 07:49:15 EDT
(In reply to comment #1)
> I can't reproduce unknown 3rd party script.
> 
> The policy should be fixed in selinux-policy.

I'm not sure I follow you. Are you saying that running `iproute monitor link`
ought to be unsupported in selinux-policy because no Fedora script uses it?
Comment 3 Daniel Walsh 2008-07-17 08:43:34 EDT
This is most likely a leaked file descriptor in your third party app.  I am sure
iproute does not want to use a unix_dgram_socket owned by the parent
application.  The tool that you are using should close its file descriptors on exec.

fctntl(fd, F_SETFD, FD_CLOSEXEC)

You can allow this if you want by executing

# grep ifconfig /var/log/audit/audit.log | audit2allow -M myifconfig
# semodule -i myifconfig.pp

Note You need to log in before you can comment on or make changes to this bug.