Description of problem: I run `iproute monitor link route` from a 3rd party script. This triggers AVC denials like: SELinux is preventing ip (ifconfig_t) "read write" to socket (initrc_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by ip. It is not expected that this access is required by ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects socket [ unix_dgram_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host localhost.localdomain Source RPM Packages iproute-2.6.25-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-74.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25.9-76.fc9.i686 #1 SMP Fri Jun 27 16:14:35 EDT 2008 i686 athlon Alert Count 290 First Seen Wed 11 Jun 2008 08:55:38 AM EEST Last Seen Thu 10 Jul 2008 04:46:21 PM EEST Local ID 31befb0d-228e-4d96-b76a-28dd908da12a Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1215697581.100:886): avc: denied { read write } for pid=7029 comm="ip" path="socket:[8326]" dev=sockfs ino=8326 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket host=localhost.localdomain type=SYSCALL msg=audit(1215697581.100:886): arch=40000003 syscall=11 success=yes exit=0 a0=9caff38 a1=9cb01b8 a2=9caf398 a3=0 items=0 ppid=7028 pid=7029 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) Version-Release number of selected component (if applicable): See AVC message. How reproducible: Always. Steps to Reproduce: 1. run `iproute monitor link route` Actual results: AVC denials. Expected results: No AVC denials since 'monitor' is a useful feature of iproute. Additional info: Fix by adding this to the policy allow ifconfig_t initrc_t:unix_dgram_socket { read write };
I can't reproduce unknown 3rd party script. The policy should be fixed in selinux-policy.
(In reply to comment #1) > I can't reproduce unknown 3rd party script. > > The policy should be fixed in selinux-policy. I'm not sure I follow you. Are you saying that running `iproute monitor link` ought to be unsupported in selinux-policy because no Fedora script uses it?
This is most likely a leaked file descriptor in your third party app. I am sure iproute does not want to use a unix_dgram_socket owned by the parent application. The tool that you are using should close its file descriptors on exec. fctntl(fd, F_SETFD, FD_CLOSEXEC) You can allow this if you want by executing # grep ifconfig /var/log/audit/audit.log | audit2allow -M myifconfig # semodule -i myifconfig.pp