Bug 596967 - fwknop denied required access under targeted selinux-policy-3.7.19-15.fc13
fwknop denied required access under targeted selinux-policy-3.7.19-15.fc13
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-27 16:18 EDT by P Rauser
Modified: 2010-05-27 17:16 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-27 17:16:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description P Rauser 2010-05-27 16:18:32 EDT
Description of problem:

Selinux throws the following AVC, blocking the proper functioning of fwknop.  N.B. the AVC below was thrown in "permissive" mode, after the program failed in "enforcing" mode.

How reproducible:  See the AVC below


SELinux is preventing /sbin/iptables-multi access to a leaked
/var/log/fwknop/knoptm.iptout file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the iptables command. It looks like this is
either a leaked descriptor or iptables output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /var/log/fwknop/knoptm.iptout. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                staff_u:system_r:iptables_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/fwknop/knoptm.iptout [ file ]
Source                        iptables
Source Path                   /sbin/iptables-multi
Port                          <Unknown>
Host                          testbed1.lan
Source RPM Packages           iptables-1.4.7-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     testbed1.lan
Platform                      Linux testbed1.lan
                              2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23
                              UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Thu 27 May 2010 03:46:11 PM EDT
Last Seen                     Thu 27 May 2010 03:46:57 PM EDT
Local ID                      9102ca41-5de1-4288-9747-fc17a70b7df5
Line Numbers                  

Raw Audit Messages            

node=testbed1.lan type=AVC msg=audit(1274989617.216:819): avc:  denied  { write } for  pid=7745 comm="iptables" path="/var/log/fwknop/knoptm.iptout" dev=dm-1 ino=1433635 scontext=staff_u:system_r:iptables_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=testbed1.lan type=SYSCALL msg=audit(1274989617.216:819): arch=c000003e syscall=59 success=yes exit=0 a0=19f7e50 a1=19f81d0 a2=19f7ef0 a3=40 items=0 ppid=7744 pid=7745 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/iptables-multi" subj=staff_u:system_r:iptables_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-05-27 17:16:38 EDT
This file should have been opened for append by fwknop and then this access would be allowed.

You can add these rules using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i myfwknop.pp

Since we do not ship fwknop, I can not fix that package.

Note You need to log in before you can comment on or make changes to this bug.