Bug 509527 - SELinux is preventing ifconfig (ifconfig_t) "read" security_t.
SELinux is preventing ifconfig (ifconfig_t) "read" security_t.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-03 06:16 EDT by Gaetan Cambier
Modified: 2009-09-16 04:36 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-16 04:36:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gaetan Cambier 2009-07-03 06:16:35 EDT
Description of problem:
SELinux is preventing ifconfig (ifconfig_t) "read" security_t. 

Version-Release number of selected component (if applicable):
    - net-tools-1.60-92.fc11
    - selinux-policy-3.6.12-53.fc11

How reproducible:
    - Restart network services

  
Additional info:


Résumé:

SELinux is preventing ifconfig (ifconfig_t) "read" security_t.

Description détaillée:

[Opération qui aurait du être refusée mais qui a été autorisée par le mode
permissif de SELinux.]

SELinux denied access requested by ifconfig. It is not expected that this access
is required by ifconfig and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Informations complémentaires:

Contexte source               unconfined_u:system_r:ifconfig_t:s0
Contexte cible                system_u:object_r:security_t:s0
Objets du contexte            mls [ file ]
source                        ifconfig
Chemin de la source           /sbin/ifconfig
Port                          <Inconnu>
Hôte                         Gaetan.Cambier-Dereze
Paquetages RPM source         net-tools-1.60-92.fc11
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.12-53.fc11
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Permissive
Nom du plugin                 catchall
Nom de l'hôte                Gaetan.Cambier-Dereze
Plateforme                    Linux Gaetan.Cambier-Dereze
                              2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16
                              23:19:53 EDT 2009 i686 athlon
Compteur d'alertes            5
Première alerte              ven 03 jui 2009 11:05:40 CEST
Dernière alerte              ven 03 jui 2009 12:05:04 CEST
ID local                      cefffe2e-a26a-4716-a98f-c713848903f3
Numéros des lignes           

Messages d'audit bruts        

node=Gaetan.Cambier-Dereze type=AVC msg=audit(1246615504.724:2081): avc:  denied  { read } for  pid=12860 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

node=Gaetan.Cambier-Dereze type=AVC msg=audit(1246615504.724:2081): avc:  denied  { open } for  pid=12860 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

node=Gaetan.Cambier-Dereze type=SYSCALL msg=audit(1246615504.724:2081): arch=40000003 syscall=5 success=yes exit=3 a0=bfc82ce8 a1=8000 a2=0 a3=bfc82ce8 items=0 ppid=12859 pid=12860 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)
Comment 1 Karel Piwko 2009-07-10 03:24:55 EDT
Experiencing exactly the same behaviour on my installation of Fedora 11 x64.


Summary:

SELinux is preventing ifconfig (ifconfig_t) "read" security_t.

Detailed Description:

SELinux denied access requested by ifconfig. It is not expected that this access
is required by ifconfig and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ifconfig_t:s0
Target Context                system_u:object_r:security_t:s0
Target Objects                mls [ file ]
Source                        ifconfig
Source Path                   /sbin/ifconfig
Port                          <Unknown>
Host                          kapy
Source RPM Packages           net-tools-1.60-92.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-53.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     kapy
Platform                      Linux kapy 2.6.29.5-191.fc11.x86_64 #1 SMP Tue Jun
                              16 23:23:21 EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 10 Jul 2009 09:07:34 AM CEST
Last Seen                     Fri 10 Jul 2009 09:07:42 AM CEST
Local ID                      05d01cb7-7d3d-458f-aad7-ed74c3e4884d
Line Numbers                  

Raw Audit Messages            

node=kapy type=AVC msg=audit(1247209662.817:36653): avc:  denied  { read } for  pid=11203 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

node=kapy type=SYSCALL msg=audit(1247209662.817:36653): arch=c000003e syscall=2 success=no exit=1090658264 a0=7fff9117e4b0 a1=0 a2=7fff9117e4bc a3=fffffff8 items=0 ppid=11202 pid=11203 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)
Comment 2 Radek Vokal 2009-09-16 04:11:23 EDT
Reassigning to selinux-policy. Can you also specify the exact ifconfig command you have reproduced this avc denial with?
Comment 3 Miroslav Grepl 2009-09-16 04:36:04 EDT
Please update your selinux-policy and selinux-policy-targeted packages.

Note You need to log in before you can comment on or make changes to this bug.