Created attachment 383682 [details] selinux module Description of problem: Trying to use netplugd with bridged networking causes selinux messages and netplugd doesn't function like its supposed to. Version-Release number of selected component (if applicable): bridge-utils-1.2-7.fc11 selinux-policy-3.6.12-92.fc11 How reproducible: always Steps to Reproduce: 1.start the netplugd service, service netplugd start Actual results: The netplugd service Expected results: the netplugd service starting up with bridged networking and no selinux denial messages Additional info: It was told that we need either a brctl_exec and brctl_exec(hotplug_t) , or a brctl_domtrans(hotplug_t) Included here is a module that fixes the problem. Here is the selinux messages # type=AVC msg=audit(1263474294.301:38968): avc: denied { getattr } for pid=27804 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # # type=SYSCALL msg=audit(1263474294.301:38968): arch=40000003 syscall=195 success=no exit=-13 a0=9ef77c0 a1=bf966cbc a2=b1dff4 a3=9ef77c0 items=0 ppid=26768 pid=27804 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null)
More avc denial messages # time->Thu Jan 14 08:31:42 2010 # type=SYSCALL msg=audit(1263475902.642:38971): arch=40000003 syscall=33 success=yes exit=0 a0=97907c0 a1=1 a2=b1dff4 a3=97907c0 items=0 ppid=29267 pid=29269 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263475902.642:38971): avc: denied { execute } for pid=29269 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # ---- # time->Thu Jan 14 08:31:42 2010 # type=SYSCALL msg=audit(1263475902.642:38970): arch=40000003 syscall=195 success=yes exit=0 a0=97907c0 a1=bfa0f4cc a2=b1dff4 a3=97907c0 items=0 ppid=29267 pid=29269 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263475902.642:38970): avc: denied { getattr } for pid=29269 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # ---- # time->Thu Jan 14 08:31:42 2010 # type=SYSCALL msg=audit(1263475902.653:38972): arch=40000003 syscall=11 success=yes exit=0 a0=97b3ce0 a1=97b42b8 a2=978de88 a3=97b42b8 items=0 ppid=29269 pid=29290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263475902.653:38972): avc: denied { execute_no_trans } for pid=29290 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # type=AVC msg=audit(1263475902.653:38972): avc: denied { read open } for pid=29290 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # ---- # time->Thu Jan 14 08:31:42 2010 # type=SYSCALL msg=audit(1263475902.653:38973): arch=40000003 syscall=33 success=yes exit=0 a0=bf8e1b97 a1=4 a2=b1dff4 a3=bf8e1f45 items=0 ppid=29269 pid=29290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263475902.653:38973): avc: denied { read } for pid=29290 comm="brctl" name="unix" dev=proc ino=4026531975 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file # ---- # time->Thu Jan 14 08:34:03 2010 # type=SYSCALL msg=audit(1263476043.337:38975): arch=40000003 syscall=195 success=yes exit=0 a0=a0f47c0 a1=bfdaf66c a2=b1dff4 a3=a0f47c0 items=0 ppid=29409 pid=29410 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263476043.337:38975): avc: denied { getattr } for pid=29410 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # ---- # time->Thu Jan 14 08:34:03 2010 # type=SYSCALL msg=audit(1263476043.338:38976): arch=40000003 syscall=33 success=yes exit=0 a0=a0f47c0 a1=1 a2=b1dff4 a3=a0f47c0 items=0 ppid=29409 pid=29410 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifup-eth" exe="/bin/bash" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263476043.338:38976): avc: denied { execute } for pid=29410 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # ---- # time->Thu Jan 14 08:34:03 2010 # type=SYSCALL msg=audit(1263476043.340:38977): arch=40000003 syscall=11 success=yes exit=0 a0=a117ce0 a1=a1182b8 a2=a0f1e88 a3=a1182b8 items=0 ppid=29410 pid=29434 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263476043.340:38977): avc: denied { execute_no_trans } for pid=29434 comm="ifup-eth" path="/usr/sbin/brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # type=AVC msg=audit(1263476043.340:38977): avc: denied { read open } for pid=29434 comm="ifup-eth" name="brctl" dev=dm-0 ino=48367 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file # ---- # time->Thu Jan 14 08:34:03 2010 # type=SYSCALL msg=audit(1263476043.340:38978): arch=40000003 syscall=33 success=yes exit=0 a0=bfc0b1e7 a1=4 a2=b1dff4 a3=bfc0bf45 items=0 ppid=29410 pid=29434 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="brctl" exe="/usr/sbin/brctl" subj=unconfined_u:system_r:hotplug_t:s0 key=(null) # type=AVC msg=audit(1263476043.340:38978): avc: denied { read } for pid=29434 comm="brctl" name="unix" dev=proc ino=4026531975 scontext=unconfined_u:system_r:hotplug_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Miroslav, Add brctl_domtrans(hotplug_t) to F11 and F12.
Did you had any feedback from Miroslav Daniel ? --- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Fixed in selinux-policy-3.6.12-94.fc11.noarch and selinux-policy-3.6.32-71.fc12
selinux-policy-3.6.12-94.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-94.fc11
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0851
selinux-policy-3.6.12-94.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.