Bug 500471 - SELinux is preventing brctl (brctl_t) "read write" tun_tap_device_t.
SELinux is preventing brctl (brctl_t) "read write" tun_tap_device_t.
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-05-12 16:11 EDT by Jerry Amundson
Modified: 2009-06-04 01:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-06-04 01:29:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
attaching mypol.te to note other avc's I had not yet reported. (2.33 KB, text/plain)
2009-05-12 17:07 EDT, Jerry Amundson
no flags Details

  None (edit)
Description Jerry Amundson 2009-05-12 16:11:52 EDT
Description of problem:
SELinux is preventing brctl (brctl_t) "read write" tun_tap_device_t. 

Version-Release number of selected component (if applicable):
Source RPM Packages           bridge-utils-1.2-7.fc11
Policy RPM                    selinux-policy-3.6.12-28.fc11

How reproducible:
4 times

Steps to Reproduce:
1.start a xen domu vm that has a bridged device
Actual results:

Expected results:
no avc

Additional info:


SELinux is preventing brctl (brctl_t) "read write" tun_tap_device_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by brctl. It is not expected that this access is
required by brctl and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:brctl_t:s0
Target Context                system_u:object_r:tun_tap_device_t:s0
Target Objects                /dev/net/tun [ chr_file ]
Source                        brctl
Source Path                   /usr/sbin/brctl
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           bridge-utils-1.2-7.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-28.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.30- #1
                              SMP Thu May 7 13:59:41 EDT 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Tue 12 May 2009 09:37:46 AM CDT
Last Seen                     Tue 12 May 2009 11:00:27 AM CDT
Local ID                      501a857a-8330-4c5f-a084-837c989a0e86
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1242144027.752:46): avc:  denied  { read write } for  pid=6041 comm="brctl" path="/dev/net/tun" dev=tmpfs ino=2719 scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file

node=jerry-opti755 type=SYSCALL msg=audit(1242144027.752:46): arch=c000003e syscall=59 success=yes exit=0 a0=bb2d20 a1=bb3790 a2=bb3ef0 a3=28 items=0 ppid=6023 pid=6041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:brctl_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-05-12 16:36:57 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-36.fc11.noarch
Comment 2 Jerry Amundson 2009-05-12 17:07:44 EDT
Created attachment 343664 [details]
attaching mypol.te to note other avc's I had not yet reported.

Confirmed fixed. Started vm. No avc.

Note You need to log in before you can comment on or make changes to this bug.