Bug 619849 - "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a bridge device
Summary: "Permission denied" if selinux is enforcing when doing "ncftool ifup" for a b...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords: RHELNAK
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-30 17:35 UTC by Laine Stump
Modified: 2012-10-15 15:15 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-36.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 21:35:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Laine Stump 2010-07-30 17:35:45 UTC
With selinux enforcing, if I use ncftool to define a bridge device and ifup it, I get multiple "Permission denied" errors when ifup-eth tries to run /sbin/brctl. If selinux is permissive, there is no error.

How to reproduce:

1) pick an interface that can be trashed on your machine, eg eth1, and save its config (this is just so you can restore it after you're finished with the bug):

   # ncftool dumpxml eth1 >/tmp/eth1.xml

Now define a bridge for it:

# cat >/tmp/br1.xml

<interface type='bridge' name='br1'>
  <start mode='none'/>
  <protocol family='ipv4'>
    <dhcp/>
  </protocol>
  <bridge stp='on' delay='0'>
    <interface type='ethernet' name='eth1'>
      <mac address='00:22:15:59:62:97'/>
    </interface>
  </bridge>
</interface>

(you should take the mac address and protocol family='ipv4' sections from eth1.xml and plug them into the appropriate places here).

# ncftool define /tmp/br1.xml
Defined interface br1


Now try to start it up:

# ncftool ifup br1
etc/sysconfig/network-scripts/ifup-eth: line 163: /usr/sbin/brctl: Permission denied
/etc/sysconfig/network-scripts/ifup-eth: line 60: /usr/sbin/brctl: Permission denied
Interface br1 bring-up failed!
error: failed to execute external program
error: Running 'ifup br1' failed with exit code 1

***********************************
If you then run either "ifup br1" directly, or "virsh iface-start br1" (which makes the same netcf library call as "ncftool ifup br1", but from the libvirtd process instead of ncftool), the bringup is successful. Likewise, if selinux is set to permissive it is successful.

Comment 2 RHEL Product and Program Management 2010-07-30 18:07:36 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 3 Daniel Walsh 2010-07-30 18:45:53 UTC
Please attach the avc's that you are seeing?

Comment 4 Laine Stump 2010-07-30 19:16:50 UTC
Sorry, I couldn't find them before - I was looking in /var/log/audit/audit.log and seeing nothing. Then I realized that auditd was disabled on this machine for some reason, so they're in /var/log/messages.

Here are the avc's when I run "ncftool ifup br0" (just execs /sbin/ifup) with selinux set to permissive:

------------------------------------------------------------------------
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.353:122): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.412:123): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:06:46 rhel6 kernel: type=1401 audit(1280516806.414:124): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process


And here is what I get when I run ncftool ifdown br0 (just execs /sbin/ifdown):

--------------------------------------------------------------
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.504:125): avc:  denied  { dac_override } for  pid=5980 comm="ncftool" capability=1  scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.694:126): avc:  denied  { getattr } for  pid=5980 comm="ifdown-eth" path="/var/run/dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:127): avc:  denied  { read } for  pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:128): avc:  denied  { open } for  pid=6018 comm="cat" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dhcpc_var_run_t:s0 tclass=file
Jul 30 15:07:39 rhel6 kernel: type=1400 audit(1280516859.696:129): avc:  denied  { signal } for  pid=5980 comm="ifdown-eth" scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=process
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:130): avc:  denied  { write } for  pid=6041 comm="rm" name="run" dev=dm-0 ino=263681 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:40 rhel6 kernel: type=1400 audit(1280516860.250:131): avc:  denied  { remove_name } for  pid=6041 comm="rm" name="dhclient-br0.pid" dev=dm-0 ino=262386 scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.019:132): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process
Jul 30 15:07:41 rhel6 kernel: br0: port 1(eth0) entering disabled state
Jul 30 15:07:41 rhel6 kernel: type=1401 audit(1280516861.031:133): security_compute_sid:  invalid context unconfined_u:unconfined_r:brctl_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=process

--------------------------------------------------------------

Finally, here is what I get when I ifup an ethernet interface (although this seems to be successful even with selinux enforcing):

Jul 30 15:08:11 rhel6 kernel: type=1400 audit(1280516891.573:134): avc:  denied  { dac_override } for  pid=6232 comm="ncftool" capability=1  scontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:ncftool_t:s0-s0:c0.c1023 tclass=capability

Comment 5 Miroslav Grepl 2010-08-02 15:49:55 UTC
Dan, I will add

#######################################
## <summary>
##      Execute brctl in the brctl domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`brctl_run',`
        gen_require(`
                type brctl_t, brctl_exec_t;
        ')

        brctl_domtrans($1)
        role $2 types brctl_t;
')

to brctl.if

---

sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)

to ncftool.te

---

and will change ncftool_run to 


interface(`ncftool_run',`
        gen_require(`
                type ncftool_t;
        ')

        ncftool_domtrans($1)
        role $2 types ncftool_t;

        brctl_run(ncftool_t, $2)
')

Comment 6 Miroslav Grepl 2010-08-02 15:57:08 UTC
Laine,
you can allow it for now using

# cat > myncftool.te << _EOF
policy_module(myncftool, 1.0)

require{
 type brctl_t;
 role unconfined_r;
 type ncftool_t;
 type var_run_t;
}

role unconfined_r types brctl_t;

allow ncftool_t var_run_t:dir { write remove_name };
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i myncftool.pp

Comment 7 Daniel Walsh 2010-08-03 14:17:35 UTC
Add
	files_rw_pid_dirs($1)

to sysnet_delete_dhcpc_pid

And
########################################
## <summary>
##	Add and remove entries from pid directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`files_rw_pid_dirs',`
	gen_require(`
		type var_run_t;
	')

	allow $1 var_run_t:dir rw_dir_perms;
')

TO files.if

Comment 8 Miroslav Grepl 2010-08-03 14:28:48 UTC
Thanks, I missed this one.

Comment 9 Laine Stump 2010-08-04 22:55:17 UTC
Can you provide me with a scratch RPM to test this? There aren't many snapshots left, so I'd rather test ahead of time and be sure that what's going in is going to solve all the denials.

Comment 10 Miroslav Grepl 2010-08-06 13:20:02 UTC
Fixed in selinux-policy-3.7.19-36.el6.noarch.

Comment 11 Laine Stump 2010-08-06 18:42:29 UTC
Yes, I've verified that this particular AVC no longer occurs with selinux-policy-3.7.19-36

Comment 14 releng-rhel@redhat.com 2010-11-10 21:35:54 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.