Bug 619849 - "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a bridge device
"Permission denied" if selinux is enforcing when doing "ncftool ifup" for a b...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: RHELNAK
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-30 13:35 EDT by Laine Stump
Modified: 2012-10-15 11:15 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-36.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:35:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Laine Stump 2010-07-30 13:35:45 EDT
With selinux enforcing, if I use ncftool to define a bridge device and ifup it, I get multiple "Permission denied" errors when ifup-eth tries to run /sbin/brctl. If selinux is permissive, there is no error.

How to reproduce:

1) pick an interface that can be trashed on your machine, eg eth1, and save its config (this is just so you can restore it after you're finished with the bug):

   # ncftool dumpxml eth1 >/tmp/eth1.xml

Now define a bridge for it:

# cat >/tmp/br1.xml

<interface type='bridge' name='br1'>
  <start mode='none'/>
  <protocol family='ipv4'>
    <dhcp/>
  </protocol>
  <bridge stp='on' delay='0'>
    <interface type='ethernet' name='eth1'>
      <mac address='00:22:15:59:62:97'/>
    </interface>
  </bridge>
</interface>

(you should take the mac address and protocol family='ipv4' sections from eth1.xml and plug them into the appropriate places here).

# ncftool define /tmp/br1.xml
Defined interface br1


Now try to start it up:

# ncftool ifup br1
etc/sysconfig/network-scripts/ifup-eth: line 163: /usr/sbin/brctl: Permission denied
/etc/sysconfig/network-scripts/ifup-eth: line 60: /usr/sbin/brctl: Permission denied
Interface br1 bring-up failed!
error: failed to execute external program
error: Running 'ifup br1' failed with exit code 1

***********************************
If you then run either "ifup br1" directly, or "virsh iface-start br1" (which makes the same netcf library call as "ncftool ifup br1", but from the libvirtd process instead of ncftool), the bringup is successful. Likewise, if selinux is set to permissive it is successful.
Comment 2 RHEL Product and Program Management 2010-07-30 14:07:36 EDT
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 3 Daniel Walsh 2010-07-30 14:45:53 EDT
Please attach the avc's that you are seeing?
Comment 4 Laine Stump 2010-07-30 15:16:50 EDT
Sorry, I couldn't find them before - I was looking in /var/log/audit/audit.log and seeing nothing. Then I realized that auditd was disabled on this machine for some reason, so they're in /var/log/messages.

Here are the avc's when I run "ncftool ifup br0" (just execs /sbin/ifup) with selinux set to permissive:

------------------------------------------------------------------------
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.353:122): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.412:123): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.414:124): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process


And here is what I get when I run ncftool ifdown br0 (just execs /sbin/ifdown):

--------------------------------------------------------------
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.504:125): avc:  denied  { dac_override } for  pid=5980 comm="ncftool" capability=1  scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.694:126): avc:  denied  { getattr } for  pid=5980 comm="ifdown-eth" path="/var/run/dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:127): avc:  denied  { read } for  pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:128): avc:  denied  { open } for  pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:129): avc:  denied  { signal } for  pid=5980 comm="ifdown-eth" scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=process
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:130): avc:  denied  { write } for  pid=6041 comm="rm" name="run" dev=dm-0 ino=263681 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:131): avc:  denied  { remove_name } for  pid=6041 comm="rm" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.019:132): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:07:41 rhel6 kernel: br0: port 1(eth0) entering disabled state
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.031:133): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process

--------------------------------------------------------------

Finally, here is what I get when I ifup an ethernet interface (although this seems to be successful even with selinux enforcing):

Jul 30 15:08:11 rhel6 kernel: type=1400 audit(1280516891.573:134): avc:  denied  { dac_override } for  pid=6232 comm="ncftool" capability=1  scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability
Comment 5 Miroslav Grepl 2010-08-02 11:49:55 EDT
Dan, I will add

#######################################
## <summary>
##      Execute brctl in the brctl domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`brctl_run',`
        gen_require(`
                type brctl_t, brctl_exec_t;
        ')

        brctl_domtrans($1)
        role $2 types brctl_t;
')

to brctl.if

---

sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)

to ncftool.te

---

and will change ncftool_run to 


interface(`ncftool_run',`
        gen_require(`
                type ncftool_t;
        ')

        ncftool_domtrans($1)
        role $2 types ncftool_t;

        brctl_run(ncftool_t, $2)
')
Comment 6 Miroslav Grepl 2010-08-02 11:57:08 EDT
Laine,
you can allow it for now using

# cat > myncftool.te << _EOF
policy_module(myncftool, 1.0)

require{
 type brctl_t;
 role unconfined_r;
 type ncftool_t;
 type var_run_t;
}

role unconfined_r types brctl_t;

allow ncftool_t var_run_t:dir { write remove_name };
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myncftool.pp
Comment 7 Daniel Walsh 2010-08-03 10:17:35 EDT
Add
	files_rw_pid_dirs($1)

to sysnet_delete_dhcpc_pid

And
########################################
## <summary>
##	Add and remove entries from pid directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`files_rw_pid_dirs',`
	gen_require(`
		type var_run_t;
	')

	allow $1 var_run_t:dir rw_dir_perms;
')

TO files.if
Comment 8 Miroslav Grepl 2010-08-03 10:28:48 EDT
Thanks, I missed this one.
Comment 9 Laine Stump 2010-08-04 18:55:17 EDT
Can you provide me with a scratch RPM to test this? There aren't many snapshots left, so I'd rather test ahead of time and be sure that what's going in is going to solve all the denials.
Comment 10 Miroslav Grepl 2010-08-06 09:20:02 EDT
Fixed in selinux-policy-3.7.19-36.el6.noarch.
Comment 11 Laine Stump 2010-08-06 14:42:29 EDT
Yes, I've verified that this particular AVC no longer occurs with selinux-policy-3.7.19-36
Comment 14 releng-rhel@redhat.com 2010-11-10 16:35:54 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.