Bug 587507 - SELinux is preventing /sbin/ifconfig from using potentially mislabeled files if_inet6.
Summary: SELinux is preventing /sbin/ifconfig from using potentially mislabeled files ...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:78dc82e5991...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-30 05:34 UTC by David O'Brien
Modified: 2010-09-01 13:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-09-01 13:04:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David O'Brien 2010-04-30 05:34:07 UTC 
Summary:

SELinux is preventing /sbin/ifconfig from using potentially mislabeled files
if_inet6.

Detailed Description:

SELinux has denied the ifconfig access to potentially mislabeled files if_inet6.
This means that SELinux will not allow httpd to use these files. If httpd should
be allowed this access to these files you should change the file context to one
of the following types, chroot_exec_t, bin_t, cert_t, httpd_t, lib_t,
public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, usr_t,
mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
httpd_rotatelogs_exec_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
httpd_sys_htaccess_t, squirrelmail_spool_t, nagios_etc_t, nagios_log_t,
sssd_public_t, httpd_keytab_t, httpd_prewikka_htaccess_t, cluster_conf_t,
fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, httpd_rw_content,
locale_t, httpd_unconfined_script_exec_t, krb5_conf_t, etc_t, fonts_t, proc_t,
src_t, sysfs_t, abrt_var_run_t, krb5_keytab_t, httpd_ro_content,
calamaris_www_t, httpd_config_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t,
pki_tps_etc_rw_t, abrt_t, sysctl_crypto_t, fail2ban_var_lib_t, lib_t, var_lib_t,
udev_tbl_t, httpd_tmp_t, configfile, user_cron_spool_t, shell_exec_t,
httpd_w3c_validator_htaccess_t, afs_cache_t, abrt_helper_exec_t, mysqld_etc_t,
cvs_data_t, pki_ra_etc_rw_t, httpd_helper_exec_t, dbusd_etc_t,
httpd_squirrelmail_t, textrel_shlib_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, ld_so_t, rpm_script_tmp_t, samba_var_t,
pki_ra_var_lib_t, pki_ra_var_run_t, net_conf_t, public_content_t,
anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, pki_ra_log_t, etc_runtime_t,
httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, httpd_var_lib_t, httpd_var_run_t, gitosis_var_lib_t,
ld_so_cache_t, httpd_squid_htaccess_t, httpd_munin_htaccess_t,
pki_tps_var_lib_t, pki_tps_var_run_t, pki_tps_log_t, mailman_archive_t,
httpd_awstats_htaccess_t, httpd_user_htaccess_t, httpd_cobbler_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t,
httpd_nagios_script_exec_t, httpd_user_script_exec_t, httpd_bugzilla_content_t,
httpd_apcupsd_cgi_script_exec_t, httpd_awstats_content_ra_t,
httpd_awstats_content_rw_t, httpd_squid_script_exec_t,
httpd_bugzilla_script_exec_t, httpd_w3c_validator_content_ra_t,
httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
httpd_awstats_content_t, httpd_user_content_ra_t, httpd_user_content_rw_t,
httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent,
httpd_sys_script_exec_t, httpd_prewikka_script_exec_t, httpd_git_script_exec_t,
httpd_munin_content_ra_t, httpd_munin_content_rw_t, httpd_cvs_script_exec_t,
root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t,
httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t,
httpd_nagios_content_rw_t, httpd_nagios_content_t,
httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_apcupsd_cgi_content_t, httpd_awstats_script_exec_t,
httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t. Many third party
apps install html files in directories that SELinux policy cannot predict. These
directories have to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of if_inet6 so that the httpd daemon can
access it, you need to execute it using semanage fcontext -a -t FILE_TYPE
'if_inet6'.
where FILE_TYPE is one of the following: chroot_exec_t, bin_t, cert_t, httpd_t,
lib_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
usr_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
httpd_rotatelogs_exec_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
httpd_sys_htaccess_t, squirrelmail_spool_t, nagios_etc_t, nagios_log_t,
sssd_public_t, httpd_keytab_t, httpd_prewikka_htaccess_t, cluster_conf_t,
fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, httpd_rw_content,
locale_t, httpd_unconfined_script_exec_t, krb5_conf_t, etc_t, fonts_t, proc_t,
src_t, sysfs_t, abrt_var_run_t, krb5_keytab_t, httpd_ro_content,
calamaris_www_t, httpd_config_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t,
pki_tps_etc_rw_t, abrt_t, sysctl_crypto_t, fail2ban_var_lib_t, lib_t, var_lib_t,
udev_tbl_t, httpd_tmp_t, configfile, user_cron_spool_t, shell_exec_t,
httpd_w3c_validator_htaccess_t, afs_cache_t, abrt_helper_exec_t, mysqld_etc_t,
cvs_data_t, pki_ra_etc_rw_t, httpd_helper_exec_t, dbusd_etc_t,
httpd_squirrelmail_t, textrel_shlib_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, ld_so_t, rpm_script_tmp_t, samba_var_t,
pki_ra_var_lib_t, pki_ra_var_run_t, net_conf_t, public_content_t,
anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, pki_ra_log_t, etc_runtime_t,
httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, httpd_var_lib_t, httpd_var_run_t, gitosis_var_lib_t,
ld_so_cache_t, httpd_squid_htaccess_t, httpd_munin_htaccess_t,
pki_tps_var_lib_t, pki_tps_var_run_t, pki_tps_log_t, mailman_archive_t,
httpd_awstats_htaccess_t, httpd_user_htaccess_t, httpd_cobbler_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t,
httpd_nagios_script_exec_t, httpd_user_script_exec_t, httpd_bugzilla_content_t,
httpd_apcupsd_cgi_script_exec_t, httpd_awstats_content_ra_t,
httpd_awstats_content_rw_t, httpd_squid_script_exec_t,
httpd_bugzilla_script_exec_t, httpd_w3c_validator_content_ra_t,
httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
httpd_awstats_content_t, httpd_user_content_ra_t, httpd_user_content_rw_t,
httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent,
httpd_sys_script_exec_t, httpd_prewikka_script_exec_t, httpd_git_script_exec_t,
httpd_munin_content_ra_t, httpd_munin_content_rw_t, httpd_cvs_script_exec_t,
root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t,
httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t,
httpd_nagios_content_rw_t, httpd_nagios_content_t,
httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_apcupsd_cgi_content_t, httpd_awstats_script_exec_t,
httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t. You can look at
the httpd_selinux man page for additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                if_inet6 [ file ]
Source                        ifconfig
Source Path                   /sbin/ifconfig
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           net-tools-1.60-99.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-110.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     (removed)
Platform                      Linux ipaserver.ipanetwork.org
                              2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
                              16:15:03 EDT 2010 i686 i686
Alert Count                   7
First Seen                    Fri 30 Apr 2010 03:32:20 PM EST
Last Seen                     Fri 30 Apr 2010 03:32:20 PM EST
Local ID                      c2634f89-6035-4413-9617-0756c7a0ec9b
Line Numbers                  

Raw Audit Messages            

node=ipaserver.ipanetwork.org type=AVC msg=audit(1272605540.29:35537): avc:  denied  { read } for  pid=16965 comm="ifconfig" name="if_inet6" dev=proc ino=4026532078 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

node=ipaserver.ipanetwork.org type=SYSCALL msg=audit(1272605540.29:35537): arch=40000003 syscall=5 success=no exit=-13 a0=8054e2e a1=0 a2=1b6 a3=805489d items=0 ppid=16964 pid=16965 auid=500 uid=48 gid=484 euid=48 suid=48 fsuid=48 egid=484 sgid=484 fsgid=484 tty=(none) ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_bad_labels,ifconfig,httpd_t,proc_net_t,file,read
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t proc_net_t:file read;
Comment 1 David O'Brien 2010-04-30 05:38:43 UTC 
Dan,
I haven't done SELinux bug reports this way before, so let me know if you want them submitted differently or whatever.

I've just installed F12 as a VM in Sun VirtualBox and have installed and configured an ipa server. Both times I added a user (ipa user-add) I got this AVC denial. I haven't modified the policy at all (yet).
Comment 2 Daniel Walsh 2010-08-19 10:20:42 UTC 
Lost this bug in the flood.  Do you still have this problem?
Comment 3 David O'Brien 2010-08-31 23:44:24 UTC 
Dan,
I've actually moved over to using VMWare instead of Sun Virtual Box and don't recall seeing this particular issue (doesn't mean it's not there...).

Perhaps close for now and if it comes up again (also shortly moving to F13 and with IPA updates) I'll file a new report.
Comment 4 Daniel Walsh 2010-09-01 13:04:08 UTC 
You ought to try kvm...
Note You need to log in before you can comment on or make changes to this bug.