Bug 605890 - SELinux is preventing /usr/sbin/aiccu "write" access .
SELinux is preventing /usr/sbin/aiccu "write" access .
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:75fbd1069a8...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-19 03:13 EDT by atrias
Modified: 2010-07-06 13:09 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-06 13:09:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
other alerts (199.87 KB, image/jpeg)
2010-06-19 03:25 EDT, atrias
no flags Details
other alerts 2 (230.60 KB, image/jpeg)
2010-06-19 03:28 EDT, atrias
no flags Details
SELinux verhindert /bin/bash "sys_tty_config" Zugriff (2.42 KB, text/plain)
2010-07-02 17:16 EDT, Stefan Jensen
no flags Details

  None (edit)
Description atrias 2010-06-19 03:13:07 EDT
Summary:

SELinux is preventing /usr/sbin/aiccu "write" access .

Detailed Description:

[aiccu has a permissive type (aiccu_t). This access was not denied.]

SELinux denied access requested by aiccu. It is not expected that this access is
required by aiccu and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:aiccu_t:s0
Target Context                unconfined_u:system_r:aiccu_t:s0
Target Objects                None [ udp_socket ]
Source                        aiccu
Source Path                   /usr/sbin/aiccu (deleted)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           aiccu-2007.01.15-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-23.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux fedora.home 2.6.33.5-124.fc13.x86_64 #1 SMP
                              Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   8
First Seen                    Sat 19 Jun 2010 12:01:15 AM EEST
Last Seen                     Sat 19 Jun 2010 10:04:10 AM EEST
Local ID                      6ad8b7bf-c39f-45a9-ad3b-5ac9d18a4c8b
Line Numbers                  

Raw Audit Messages            

node=fedora.home type=AVC msg=audit(1276931050.600:76): avc:  denied  { write } for  pid=2261 comm="aiccu" laddr=192.168.1.2 lport=45828 faddr=94.75.219.73 fport=5072 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=unconfined_u:system_r:aiccu_t:s0 tclass=udp_socket

node=fedora.home type=SYSCALL msg=audit(1276931050.600:76): arch=c000003e syscall=44 success=yes exit=92 a0=6 a1=7f6b2a756d90 a2=5c a3=0 items=0 ppid=1 pid=2261 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null)



Hash String generated from  catchall,aiccu,aiccu_t,aiccu_t,udp_socket,write
audit2allow suggests:

#============= aiccu_t ==============
allow aiccu_t self:udp_socket write;
Comment 1 atrias 2010-06-19 03:25:32 EDT
Created attachment 425303 [details]
other alerts
Comment 2 atrias 2010-06-19 03:27:32 EDT
Nothing is mentioned on the alert about /dev/net/tun as in bug 590481 and i also have a alter version of selinux policies which is supposed to solve the aiccu problems.

I also get all the alerts that are shown on the screenshots just when i start the aiccu service
Comment 3 atrias 2010-06-19 03:28:15 EDT
Created attachment 425304 [details]
other alerts 2
Comment 4 Miroslav Grepl 2010-06-21 04:08:12 EDT
It was fixed in selinux-policy-3.7.19-28.fc13.

selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 testing
repository.  If problems still persist, please make note of it in this bug
report.

If you want to test the update, you can install it with 

su -c 'yum --enablerepo=updates-testing update selinux-policy'.  

You can provide feedback for this update here:
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13
Comment 5 atrias 2010-06-24 12:49:52 EDT
thank you for the information

how much time does it take for a package to go from testing to updates ?

i googled that but i couldn't find a clear answer
Comment 6 atrias 2010-06-24 13:22:32 EDT
I Just updated me fedora and selinux-policy-3.7.19-28.fc13 was installed

after restarting my PC i tried:

[root@fedora ~]# /etc/init.d/aiccu start
Starting AICCU (Automatic IPv6 Connectivity Configuration U[FAILED]services: 

the new bug is:

SELinux is preventing /usr/sbin/aiccu "read" access on /etc/hosts.

should I open a new bug report?
Comment 7 Daniel Walsh 2010-06-25 14:38:24 EDT
Please attach the avc messages from /var/log/audit/audit.log


Looks like we need

sysnet_dns_name_resolve(aiccu_t)
Comment 8 atrias 2010-06-25 15:09:25 EDT
a made a copy of this log file and then (after trying to start aiccu) i made a diff between them

the lines that were added because of aiccu are these:

2753,2756d2752
< type=AVC msg=audit(1277492828.466:25568): avc:  denied  { read } for  pid=8034 comm="aiccu" name="resolv.conf" dev=dm-0 ino=165 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
< type=SYSCALL msg=audit(1277492828.466:25568): arch=c000003e syscall=2 success=no exit=-13 a0=32fdd426db a1=0 a2=1b6 a3=2 items=0 ppid=8033 pid=8034 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null)
< type=AVC msg=audit(1277492828.468:25569): avc:  denied  { read } for  pid=8034 comm="aiccu" name="hosts" dev=dm-0 ino=126 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
< type=SYSCALL msg=audit(1277492828.468:25569): arch=c000003e syscall=2 success=no exit=-13 a0=7f402d86a2a6 a1=80000 a2=1b6 a3=0 items=0 ppid=8033 pid=8034 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null)
Comment 9 Miroslav Grepl 2010-06-28 10:18:44 EDT
Fixed in selinux-policy-3.7.19-32.fc13
Comment 10 Fedora Update System 2010-06-30 15:55:04 EDT
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 11 Fedora Update System 2010-07-01 14:49:01 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 12 atrias 2010-07-02 13:32:21 EDT
seems to work OK now!!
thank you very much!
Comment 13 Stefan Jensen 2010-07-02 14:51:19 EDT
Confirming, solved all my problems with aiccu. Thank you!
Comment 14 atrias 2010-07-02 15:00:13 EDT
I know it is a little off-topic but does anyone know of a way to start aiccu automatically on startup?
I used 'chkconfig aiccu on' but after reboot i got 
Starting AICCU (Automatic IPv6 Connectivity Configuration Utility) services: 	[FAILED]
when i tried to start it manually it started ok
any ideas?
Comment 15 atrias 2010-07-02 15:56:57 EDT
for anyone interested the solution is: 
'chkconfig --del aiccu'
and then 
'chkconfig --add aiccu'
and finally
'chkconfig aiccu on'
Comment 16 Stefan Jensen 2010-07-02 17:16:17 EDT
Created attachment 429169 [details]
SELinux verhindert /bin/bash "sys_tty_config" Zugriff

Whoops, i was to fast. One last error apears for aiccu.

Best regards
Comment 17 Stefan Jensen 2010-07-03 19:30:17 EDT
Additional: If selinux is set to enforcing, aiccu is not able to be "verbose" on startup. So the Tunnel infomation are not displayed.

/etc/aiccu.conf

# Be verbose? (default: false)
verbose true
Comment 18 Fedora Update System 2010-07-06 13:07:21 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.