619849 – "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a bridge device

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 619849 - "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a bridge device

Summary: "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a b...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-07-30 17:35 UTC by Laine Stump
Modified:	2012-10-15 15:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-36.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-10 21:35:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Laine Stump 2010-07-30 17:35:45 UTC

With selinux enforcing, if I use ncftool to define a bridge device and ifup it, I get multiple "Permission denied" errors when ifup-eth tries to run /sbin/brctl. If selinux is permissive, there is no error.

How to reproduce:

1) pick an interface that can be trashed on your machine, eg eth1, and save its config (this is just so you can restore it after you're finished with the bug):

   # ncftool dumpxml eth1 >/tmp/eth1.xml

Now define a bridge for it:

# cat >/tmp/br1.xml

<interface type='bridge' name='br1'>
  <start mode='none'/>
  <protocol family='ipv4'>
    <dhcp/>
  </protocol>
  <bridge stp='on' delay='0'>
    <interface type='ethernet' name='eth1'>
      <mac address='00:22:15:59:62:97'/>
    </interface>
  </bridge>
</interface>

(you should take the mac address and protocol family='ipv4' sections from eth1.xml and plug them into the appropriate places here).

# ncftool define /tmp/br1.xml
Defined interface br1


Now try to start it up:

# ncftool ifup br1
etc/sysconfig/network-scripts/ifup-eth: line 163: /usr/sbin/brctl: Permission denied
/etc/sysconfig/network-scripts/ifup-eth: line 60: /usr/sbin/brctl: Permission denied
Interface br1 bring-up failed!
error: failed to execute external program
error: Running 'ifup br1' failed with exit code 1

***********************************
If you then run either "ifup br1" directly, or "virsh iface-start br1" (which makes the same netcf library call as "ncftool ifup br1", but from the libvirtd process instead of ncftool), the bringup is successful. Likewise, if selinux is set to permissive it is successful.

Comment 2 RHEL Program Management 2010-07-30 18:07:36 UTC

This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 3 Daniel Walsh 2010-07-30 18:45:53 UTC

Please attach the avc's that you are seeing?

Comment 4 Laine Stump 2010-07-30 19:16:50 UTC

Sorry, I couldn't find them before - I was looking in /var/log/audit/audit.log and seeing nothing. Then I realized that auditd was disabled on this machine for some reason, so they're in /var/log/messages.

Here are the avc's when I run "ncftool ifup br0" (just execs /sbin/ifup) with selinux set to permissive:

------------------------------------------------------------------------
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.353:122): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.412:123): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.414:124): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process


And here is what I get when I run ncftool ifdown br0 (just execs /sbin/ifdown):

--------------------------------------------------------------
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.504:125): avc:  denied  { dac_override } for  pid=5980 comm="ncftool" capability=1  scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.694:126): avc:  denied  { getattr } for  pid=5980 comm="ifdown-eth" path="/var/run/dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:127): avc:  denied  { read } for  pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:128): avc:  denied  { open } for  pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:129): avc:  denied  { signal } for  pid=5980 comm="ifdown-eth" scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=process
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:130): avc:  denied  { write } for  pid=6041 comm="rm" name="run" dev=dm-0 ino=263681 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:131): avc:  denied  { remove_name } for  pid=6041 comm="rm" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.019:132): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:07:41 rhel6 kernel: br0: port 1(eth0) entering disabled state
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.031:133): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process

--------------------------------------------------------------

Finally, here is what I get when I ifup an ethernet interface (although this seems to be successful even with selinux enforcing):

Jul 30 15:08:11 rhel6 kernel: type=1400 audit(1280516891.573:134): avc:  denied  { dac_override } for  pid=6232 comm="ncftool" capability=1  scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability

Comment 5 Miroslav Grepl 2010-08-02 15:49:55 UTC

Dan, I will add

#######################################
## <summary>
##      Execute brctl in the brctl domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`brctl_run',`
        gen_require(`
                type brctl_t, brctl_exec_t;
        ')

        brctl_domtrans($1)
        role $2 types brctl_t;
')

to brctl.if

---

sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)

to ncftool.te

---

and will change ncftool_run to 


interface(`ncftool_run',`
        gen_require(`
                type ncftool_t;
        ')

        ncftool_domtrans($1)
        role $2 types ncftool_t;

        brctl_run(ncftool_t, $2)
')

Comment 6 Miroslav Grepl 2010-08-02 15:57:08 UTC

Laine,
you can allow it for now using

# cat > myncftool.te << _EOF
policy_module(myncftool, 1.0)

require{
 type brctl_t;
 role unconfined_r;
 type ncftool_t;
 type var_run_t;
}

role unconfined_r types brctl_t;

allow ncftool_t var_run_t:dir { write remove_name };
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myncftool.pp

Comment 7 Daniel Walsh 2010-08-03 14:17:35 UTC

Add
	files_rw_pid_dirs($1)

to sysnet_delete_dhcpc_pid

And
########################################
## <summary>
##	Add and remove entries from pid directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`files_rw_pid_dirs',`
	gen_require(`
		type var_run_t;
	')

	allow $1 var_run_t:dir rw_dir_perms;
')

TO files.if

Comment 8 Miroslav Grepl 2010-08-03 14:28:48 UTC

Thanks, I missed this one.

Comment 9 Laine Stump 2010-08-04 22:55:17 UTC

Can you provide me with a scratch RPM to test this? There aren't many snapshots left, so I'd rather test ahead of time and be sure that what's going in is going to solve all the denials.

Comment 10 Miroslav Grepl 2010-08-06 13:20:02 UTC

Fixed in selinux-policy-3.7.19-36.el6.noarch.

Comment 11 Laine Stump 2010-08-06 18:42:29 UTC

Yes, I've verified that this particular AVC no longer occurs with selinux-policy-3.7.19-36

Comment 14 releng-rhel@redhat.com 2010-11-10 21:35:54 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.