Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 604573 - SElinux problem found in netcf (without config files) bridge-nf-call-iptables
SElinux problem found in netcf (without config files) bridge-nf-call-iptables
Status: CLOSED DUPLICATE of bug 593708
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: netcf (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Laine Stump
qe-baseos-daemons
:
Depends On:
Blocks: 584893
  Show dependency treegraph
 
Reported: 2010-06-16 05:25 EDT by Jan Ščotka
Modified: 2010-06-16 09:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-16 06:06:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of command (34.00 KB, application/octet-stream)
2010-06-16 08:35 EDT, Jan Ščotka
no flags Details

  None (edit)
Description Jan Ščotka 2010-06-16 05:25:08 EDT
Description of problem:
When testing netcf package I found problem with selinux. 
error: can not open /proc/sys/net/bridge/bridge-nf-call-iptables: Permission denied.


Version-Release number of selected component (if applicable):
# rpm -qa netcf
netcf-0.1.6-1.el6.i686


How reproducible:
100%

Steps to Reproduce:
1. # netcf -d

Actual results:
Failed to initialize netcf
error: File operation failed
error: can not open /proc/sys/net/bridge/bridge-nf-call-iptables: Permission denied


Expected results:
no error, or only error that config file not found

Additional info:
message from /var/log/audit/audit.log for this event:

type=AVC msg=audit(1276680230.516:25392): avc:  denied  { search } for  pid=11950 comm="ncftool" scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1276680230.516:25392): arch=40000003 syscall=5 success=no exit=-13 a0=9ce9820 a1=0 a2=1b6 a3=4698e6 items=0 ppid=11894 pid=11950 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1006 comm="ncftool" exe="/usr/bin/ncftool" subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
Comment 2 Jan Ščotka 2010-06-16 05:37:49 EDT
my network config if it is important (have onw bridged net)
# ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:57:A4:C9  
          inet addr:10.16.64.63  Bcast:10.16.71.255  Mask:255.255.248.0
          inet6 addr: fec0:0:a10:4000:20a:5eff:fe57:a4c9/64 Scope:Site
          inet6 addr: fe80::20a:5eff:fe57:a4c9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7206204 errors:0 dropped:0 overruns:1 frame:0
          TX packets:36642 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:570006054 (543.6 MiB)  TX bytes:3402878 (3.2 MiB)
          Interrupt:19 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14932 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14932 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6468798 (6.1 MiB)  TX bytes:6468798 (6.1 MiB)

next      Link encap:Ethernet  HWaddr 00:0A:5E:57:A4:C9  
          inet addr:10.16.64.63  Bcast:10.16.71.255  Mask:255.255.248.0
          inet6 addr: fec0:0:a10:4000:20a:5eff:fe57:a4c9/64 Scope:Site
          inet6 addr: fe80::20a:5eff:fe57:a4c9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5893720 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28418 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:373270604 (355.9 MiB)  TX bytes:2597953 (2.4 MiB)

tap0      Link encap:Ethernet  HWaddr BE:E2:A9:9F:E7:B2  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::bce2:a9ff:fe9f:e7b2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023835 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap1      Link encap:Ethernet  HWaddr C6:07:1C:2F:BC:D5  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::c407:1cff:fe2f:bcd5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023834 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap2      Link encap:Ethernet  HWaddr 1A:B6:AE:11:E9:1E  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::18b6:aeff:fe11:e91e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023833 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap3      Link encap:Ethernet  HWaddr AA:A2:44:83:E3:73  
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::a8a2:44ff:fe83:e373/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023832 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

tap4      Link encap:Ethernet  HWaddr DA:19:BF:F1:AA:FD  
          inet addr:192.168.4.1  Bcast:192.168.4.255  Mask:255.255.255.0
          inet6 addr: fe80::d819:bfff:fef1:aafd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:6023833 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
Comment 4 RHEL Product and Program Management 2010-06-16 05:53:13 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 5 Laine Stump 2010-06-16 06:06:47 EDT
This sounds very much like a bug that was already fixed, but I can't find the
exact bug for some reason. At any rate, it's certainly something that would
fall in the realm of Bug 593708, which is already well on its way to
resolution.

*** This bug has been marked as a duplicate of bug 593708 ***
Comment 6 Jan Ščotka 2010-06-16 07:02:55 EDT
Hi,
it is possible, it seem similar.
Problem is that it is not fixed in version of rebased netcf from 
https://bugzilla.redhat.com/show_bug.cgi?id=584893
Comment 7 Laine Stump 2010-06-16 08:00:48 EDT
Jan - the problem isn't solved by a new netcf package. It's solved by a new selinux-policy package.
Comment 8 Jan Ščotka 2010-06-16 08:35:27 EDT
Created attachment 424430 [details]
strace of command

Yep,
it was problem of selinux, so mgrepl build new one for it:
https://brewweb.devel.redhat.com/buildinfo?buildID=135036

then problem disappear. But appear second one:

# ncftool
Failed to initialize netcf
error: unspecified error

Is it big problem, or only smaller one (some of my mistake)
I expected some interactive console of netcf tool.
strace of command attached
Comment 9 Daniel Walsh 2010-06-16 09:26:42 EDT
Please update the other bug report with newer avc messages.
Comment 10 Jan Ščotka 2010-06-16 09:35:53 EDT
Problem is, that second problem isn't caused by selinux (no audit.log messages, same problem with setenforce 0),
it seems to be a problem of netcf.
Okay, I'll create new

Note You need to log in before you can comment on or make changes to this bug.