Bug 461059 - SELinux is preventing hostname (hostname_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t). and SELinux is preventing ifconfig (ifconfig_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t).
SELinux is preventing hostname (hostname_t) "read" to /var/lib/dhclient/dhcli...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
: Patch, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-03 17:28 EDT by Matěj Cepl
Modified: 2008-09-25 22:59 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-25 22:59:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
/var/log/audit/audit.log (3.20 MB, text/plain)
2008-09-03 17:28 EDT, Matěj Cepl
no flags Details
dhcp-4.0.0-FD_CLOEXEC.patch (3.62 KB, patch)
2008-09-16 20:34 EDT, David Cantrell
no flags Details | Diff

  None (edit)
Description Matěj Cepl 2008-09-03 17:28:58 EDT
Created attachment 315696 [details]
/var/log/audit/audit.log

I have two SELinux alerts (happened once), I have checked restorecon on the given file, but there was no change.


Souhrn:

SELinux is preventing hostname (hostname_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by hostname. It is not expected that this access
is required by hostname and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/lib/dhclient/dhclient-eth0.leases,

restorecon -v '/var/lib/dhclient/dhclient-eth0.leases'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                unconfined_u:system_r:hostname_t
Kontext cíle                 system_u:object_r:dhcpc_state_t
Objekty cíle                 /var/lib/dhclient/dhclient-eth0.leases [ file ]
Zdroj                         hostname
Cesta zdroje                  /bin/hostname
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          net-tools-1.60-87.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-84.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
                              4 14:08:11 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               St 3. září 2008, 11:17:13 CEST
Naposledy viděno             St 3. září 2008, 11:17:13 CEST
Místní ID                   cacd28f1-978f-410e-b0b6-6d3f816a3260
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1220433433.72:29): avc:  denied  { read } for  pid=3139 comm="hostname" path="/var/lib/dhclient/dhclient-eth0.leases" dev=dm-0 ino=1275568 scontext=unconfined_u:system_r:hostname_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1220433433.72:29): arch=40000003 syscall=11 success=yes exit=0 a0=87a47d0 a1=87a5650 a2=877de28 a3=0 items=0 ppid=3101 pid=3139 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="hostname" exe="/bin/hostname" subj=unconfined_u:system_r:hostname_t:s0 key=(null)
==========================================================================

Souhrn:

SELinux is preventing ifconfig (ifconfig_t) "read" to /var/lib/dhclient/dhclient-eth0.leases (dhcpc_state_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by ifconfig. It is not expected that this access
is required by ifconfig and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/lib/dhclient/dhclient-eth0.leases,

restorecon -v '/var/lib/dhclient/dhclient-eth0.leases'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                unconfined_u:system_r:ifconfig_t
Kontext cíle                 system_u:object_r:dhcpc_state_t
Objekty cíle                 /var/lib/dhclient/dhclient-eth0.leases [ file ]
Zdroj                         ifconfig
Cesta zdroje                  /sbin/ifconfig
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          net-tools-1.60-87.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-84.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug
                              4 14:08:11 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               St 3. září 2008, 11:17:11 CEST
Naposledy viděno             St 3. září 2008, 11:17:11 CEST
Místní ID                   2aff34fa-3f01-4097-8d1b-2e4437e47bd4
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1220433431.18:28): avc:  denied  { read } for  pid=3100 comm="ifconfig" path="/var/lib/dhclient/dhclient-eth0.leases" dev=dm-0 ino=1275568 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1220433431.18:28): arch=40000003 syscall=11 success=yes exit=0 a0=9147520 a1=91473c0 a2=912d5e8 a3=0 items=0 ppid=3073 pid=3100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-09-03 18:00:34 EDT
This is a leaked file descriptor to /var/lib/dhclient/dhclient-eth0.leases 

Please close open file descriptors before execing apps.

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 2 Zdenek Prikryl 2008-09-09 03:51:25 EDT
Since /var/lib/dhclient/dhclient-eth0.leases is created by dhclient, it seems that the bug isn't in hostname nor in ifconfig, but it is in dhclient. So, I'm reassigning this to dhcp package.
Comment 3 David Cantrell 2008-09-16 20:34:15 EDT
Created attachment 316916 [details]
dhcp-4.0.0-FD_CLOEXEC.patch
Comment 4 David Cantrell 2008-09-16 20:36:16 EDT
This bug keeps getting filed in rawhide and I don't know what I'm doing wrong in dhclient.  I've set every dhclient-INTERFACE.leases file descriptor to include FD_CLOEXEC, so I don't know what I'm missing.

I do F_GETFD, |= FD_CLOEXEC to it, then F_SETFD.  Is this correct for selinux?
Comment 5 Daniel Walsh 2008-09-18 16:37:45 EDT
You need to do this before the fork I believe,  Why not do it as soon as the file is opened?
Comment 6 David Cantrell 2008-09-18 16:44:56 EDT
(In reply to comment #5)
> You need to do this before the fork I believe,  Why not do it as soon as the
> file is opened?

That's what I'm doing.  Setting FD_CLOEXEC right when the files are opened.
Comment 7 Daniel Walsh 2008-09-18 16:48:45 EDT
Then it should work.  You could check by listing ls -l /proc/self/fd in the script to see what is open.
Comment 8 David Cantrell 2008-09-25 22:59:08 EDT
This should be working with the latest dhclient package in rawhide.

Note You need to log in before you can comment on or make changes to this bug.