Summary: SELinux is preventing /sbin/ip6tables-multi access to a leaked netlink_route_socket file descriptor. Detailed Description: [iptables has a permissive type (iptables_t). This access was not denied.] SELinux denied access requested by the ip6tables-resto command. It looks like this is either a leaked descriptor or ip6tables-resto output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:iptables_t:s0-s0:c0.c1023 Target Context system_u:system_r:virtd_t:s0-s0:c0.c1023 Target Objects netlink_route_socket [ netlink_route_socket ] Source iptables Source Path /sbin/iptables-multi Port <Unknown> Host (removed) Source RPM Packages iptables-ipv6-1.4.5-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 14 First Seen Thu 12 Nov 2009 04:27:44 PM EST Last Seen Thu 12 Nov 2009 04:27:44 PM EST Local ID 35eb263f-8e09-4927-a52f-db57d60f204d Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1258061264.267:30430): avc: denied { read write } for pid=5063 comm="ip6tables-resto" path="socket:[29305]" dev=sockfs ino=29305 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=(removed) type=SYSCALL msg=audit(1258061264.267:30430): arch=c000003e syscall=59 success=yes exit=0 a0=a8a640 a1=a8b2d0 a2=a47420 a3=18 items=0 ppid=5052 pid=5063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip6tables-resto" exe="/sbin/ip6tables-multi" subj=system_u:system_r:iptables_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,leaks,iptables,iptables_t,virtd_t,netlink_route_socket,read,write audit2allow suggests: #============= iptables_t ============== allow iptables_t virtd_t:netlink_route_socket { read write };
libvirt should not leak the file descriptor.
Dan, could you advise as to whether this is the same or a different AVC? (It looks similar, but a bit different to my untrained eye ...) Summary: SELinux is preventing /sbin/ip6tables-multi access to a leaked /proc/mtrr file descriptor. Detailed Description: [iptables has a permissive type (iptables_t). This access was not denied.] SELinux denied access requested by the ip6tables command. It looks like this is either a leaked descriptor or ip6tables output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /proc/mtrr. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 Target Context system_u:object_r:mtrr_device_t:s0 Target Objects /proc/mtrr [ file ] Source iptables Source Path /sbin/iptables-multi Port <Unknown> Host thinkpad.home.annexia.org Source RPM Packages iptables-ipv6-1.4.6-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.11-1.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name thinkpad.home.annexia.org Platform Linux thinkpad.home.annexia.org 2.6.33-1.fc13.i686.PAE #1 SMP Wed Feb 24 19:54:49 UTC 2010 i686 i686 Alert Count 299 First Seen Mon 08 Mar 2010 07:52:35 PM GMT Last Seen Mon 08 Mar 2010 07:52:35 PM GMT Local ID d189845d-4780-440f-9689-2ff43738bdb8 Line Numbers Raw Audit Messages node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: denied { write } for pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file node=thinkpad.home.annexia.org type=SYSCALL msg=audit(1268077955.535:92): arch=40000003 syscall=11 success=yes exit=0 a0=8434810 a1=8412c40 a2=840f7b0 a3=8412c40 items=0 ppid=4453 pid=4463 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="ip6tables" exe="/sbin/ip6tables-multi" subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 key=(null)
No Just run your avc's through audit2allow you would see allow iptables_t mtrr_device_t:file write; Which is probably also a leak. Unless you know of a reason for iptables needing to write to /dev/mtrr?
(In reply to comment #3) > Unless you know of a reason for iptables needing to write to /dev/mtrr? No clue. Anyway, bug 571573.
libvirt always closes all file descriptors when forking any child process itself. In addition libvirt never runs /sbin/ip6tables-multi. I wonder if this could be netcf spawning this & causing the leak ?
netcf does run (via system(3)) "/etc/init.d/iptables condrestart", which looks like it could call ip6tables-multi (it calls "ip6tables" which, on F12 anyway, is a symlink to ip6tables-multi). netcf's system() call should be replaced with something like virRun from libvirt so that all the fds will be closed, but of course ip6tables-multi should also not be writing to a fd it didn't open itself. I'll try to replace system() in netcf this week.
In parallel with the system/virRun change to close FDs, it would also be worth setting the CLOSEXEC flag on netcf's netlink socket. THis is because netcf might be used inside an app which forks/exec's without closing FDs - so even if netcf took care of its own fork/exec usage, you could still get hit.
ip6tables is not actually trying to write to the /dev/mtrr. SELinux checks all open file descriptors being handed to a confined process on start. If it finds any access that would be denied it closes the File descriptor and reports the AVC. All apps that open sockets and file descriptors, and could eventually execute another app, should close those file descriptors on exec. fcntl(fd, F_SETFD, FD_CLOEXEC)
I've posted two fixes to the netcf-devel mailing list: https://fedorahosted.org/pipermail/netcf-devel/2010-March/000407.html https://fedorahosted.org/pipermail/netcf-devel/2010-March/000408.html
netcf-0.1.6-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc12
netcf-0.1.6-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc13
netcf-0.1.6-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc11
netcf-0.1.6-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update netcf'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc13
netcf-0.1.6-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update netcf'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc12
netcf-0.1.6-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
netcf-0.1.6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
netcf-0.1.6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.