Bug 469423 - ip addrlabel show doesn't work
Summary: ip addrlabel show doesn't work
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 9
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: James Morris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-31 18:56 UTC by Maciej Żenczykowski
Modified: 2008-12-10 04:36 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-03 01:27:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Maciej Żenczykowski 2008-10-31 18:56:31 UTC 
# /sbin/ip addrlabel show
Cannot send dump request: Invalid argument

# file /sbin/ip
/sbin/ip: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked  (uses shared libs), for GNU/Linux 2.6.9, stripped

# rpm -q --whatprovides /sbin/ip
iproute-2.6.25-1.fc9.x86_64

# uname -a
Linux zeus.lan 2.6.27.4-19.fc9.x86_64 #1 SMP Thu Oct 30 19:30:01 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

Kernel from koji, same behaviour with previous 2.6.26.7-86.fc9.x86_64 kernel from koji.
Unsure of whether the problem is iproute2 or the kernel here, and whether it is x86_64 specific...
Comment 1 Marcela Mašláňová 2008-11-03 07:58:00 UTC 
# ip addrlabel help
Usage: ip addrlabel [ list | add | del | flush ] prefix PREFIX [ dev DEV ] [ label LABEL ]

addrlabel doesn't use show, but if I try
# ip addrlabel list
Cannot send dump request: Invalid argument
or
# ip addrlabel list dev eth0
"ip addrlabel show" does not take any arguments.

There will be some bug in parsing commands. I'll check it.
Comment 2 Marcela Mašláňová 2008-11-04 15:10:31 UTC 
It seems to me whole addrlabel doesn't work. This reproducer fails for me in second step with "Cannot talk to rtnetlink: Invalid argument"

Destination: 2001::3
Candidate Source Addresses: 2001::1(deprecated) and 2001::2

1. Setup source address as specified above.
   Eg:
       #ip -6 addr add 2001::2 dev eth0
       #ip -6 addr add 2001::1 dev eth0 valid_lft 50000 preferred_lft 0

2. Add these 3 ip's to the User Configuration Table with different label value.
   Eg:
       #ip addrlabel add prefix 2001::1 label 3
       #ip addrlabel add prefix 2001::2 label 4
       #ip addrlabel add prefix 2001::3 label 3

3. Add route to the destination address
       #ip -6 route add 2001::3 dev eth0

4. ping6 to the destination will pick up the ip address which is not deprecated. As "avoid deprecated" rule (#rule 3) is satisfied the "label rule" 
   (#rule 6) is not used.

       #ping6 2001::3

Result : Src Address : 2001::2
Comment 3 Marcela Mašláňová 2008-11-04 15:32:52 UTC 
Ok, the selinux blocks those commands. Everything works as expected ;-)

type=SELINUX_ERR msg=audit(1225812551.758:877): SELinux:  unrecognized netlink message type=74 for sclass=43
type=SYSCALL msg=audit(1225812551.758:877): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fff98a52010 a2=14 a3=0 items=0 ppid=13000 pid=13980 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 4 Maciej Żenczykowski 2008-11-05 01:23:15 UTC 
So, how do I use ip addrlabel?  What needs to get fixed?  The kernel?  The policies?  The utility?  All of them?
Comment 5 Marcela Mašláňová 2008-11-05 09:56:25 UTC 
The problem is only in selinux-policy.
Here is attached whole audit log.

type=SELINUX_ERR msg=audit(1225698822.073:42): SELinux:  unrecognized netlink message type=74 for sclass=43
type=SYSCALL msg=audit(1225698822.073:42): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fff0ddcb380 a2=14 a3=0 items=0 ppid=8622 pid=10954 auid=500
 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
type=SELINUX_ERR msg=audit(1225698833.299:43): SELinux:  unrecognized netlink message type=74 for sclass=43
type=SYSCALL msg=audit(1225698833.299:43): arch=c000003e syscall=44 success=no exit=-22 a0=3 a1=7fff6615a720 a2=14 a3=0 items=0 ppid=8622 pid=10970 auid=500
 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
type=SELINUX_ERR msg=audit(1225698889.556:44): SELinux:  unrecognized netlink message type=74 for sclass=43
type=SYSCALL msg=audit(1225698889.556:44): arch=c000003e syscall=44 success=yes exit=0 a0=3 a1=7fff155e3ba0 a2=14 a3=0 items=0 ppid=8622 pid=11504 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ip" exe="/sbin/ip" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 k
ey=(null)
Comment 6 Milos Malik 2008-11-05 10:13:27 UTC 
Reproduced on i386 and x86_64 machines (installed by RHTS) with RHEL5.3-Client-20081105.nightly.

type=SELINUX_ERR msg=audit(1225879810.745:18): SELinux:  unrecognized netlink 
message type=74 for sclass=43 
type=SYSCALL msg=audit(1225879810.745:18): arch=c000003e syscall=44 success=no
 exit=-22 a0=3 a1=7fff79190750 a2=14 a3=0 items=0 ppid=4084 pid=4112 auid=0 ui
d=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip"
 exe="/sbin/ip" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)

I think that it's related to selinux-policy or audit package.
Comment 7 Michal Schmidt 2008-11-05 11:18:46 UTC 
Looks like kernel issue to me. Specifically security/selinux/nlmsgtab.c:nlmsg_route_perms[] table is missing records for RTM_*ADDRLABEL netlink message types.
Comment 8 Michal Schmidt 2008-11-05 12:43:16 UTC 
I posted a kernel patch upstream: http://lkml.org/lkml/2008/11/5/85
Comment 9 Daniel Walsh 2008-11-05 16:38:22 UTC 
*** Bug 470037 has been marked as a duplicate of this bug. ***
Comment 10 Maciej Żenczykowski 2008-11-17 07:35:44 UTC 
Applied and compiled kernel with patch from http://lkml.org/lkml/2008/11/5/85 and the problem is resolved.  Could we get this into the official fc9 and/or stable 2.6.27 kernels?

# uname -a
Linux zeus.lan 2.6.27.5-37mz2.fc9.x86_64 #1 SMP Fri Nov 14 15:31:28 PST 2008 x86_64 x86_64 x86_64 GNU/Linux (from koji with above patch)

# ip addrlabel show
prefix ::1/128 label 0 
prefix ::/96 label 3 
prefix ::ffff:0.0.0.0/96 label 4 
prefix 2001::/32 label 6 
prefix 2001:10::/28 label 7 
prefix 2002::/16 label 2 
prefix fc00::/7 label 5 
prefix ::/0 label 1 

# ip addrlabel add prefix ::/120 dev eth0 label 9

# ip addrlabel show
prefix ::1/128 label 0 
prefix ::/120 dev if4 label 9 
prefix ::/96 label 3 
prefix ::ffff:0.0.0.0/96 label 4 
prefix 2001::/32 label 6 
prefix 2001:10::/28 label 7 
prefix 2002::/16 label 2 
prefix fc00::/7 label 5 
prefix ::/0 label 1 

# ip addrlabel del prefix ::/120 dev eth0 label 9

# ip addrlabel show
prefix ::1/128 label 0 
prefix ::/96 label 3 
prefix ::ffff:0.0.0.0/96 label 4 
prefix 2001::/32 label 6 
prefix 2001:10::/28 label 7 
prefix 2002::/16 label 2 
prefix fc00::/7 label 5 
prefix ::/0 label 1 

Nothing weird in dmesg (and eth0 is indeed interface #4, 1,2,3 being lo,wmaster0,wlan0).

Unverified whether the entire source address selection works, but that would be a separate bug anyway...
Comment 11 Dave Jones 2008-11-18 23:04:18 UTC 
James, is that patch sufficient, or will we need others too?
Comment 12 James Morris 2008-11-18 23:30:07 UTC 
Yes, this should be enough.
Comment 13 Fedora Update System 2008-11-28 02:19:19 UTC 
kernel-2.6.27.7-53.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.7-53.fc9
Comment 14 Fedora Update System 2008-12-03 01:27:02 UTC 
kernel-2.6.27.7-53.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-12-10 04:36:01 UTC 
kernel-2.6.27.7-53.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.