Сводка: SELinux запрещает /sbin/ifconfig доступ к дескриптору файла netlink_rout Подробное описание: [ip запущен в разрешающем режиме (ifconfig_t). Доступ не был запрещён.] SELinux запретил запрос доступа, полученный от команды ifconfig. Вероятна утечка дескриптора или вывод ifconfig был перенаправлен в файл, к которому у нее нет доступа. Утечки обычно можно игнорировать, так как SELinux просто их закрывает и сообщает об ошибке. Приложение не использует деск Разрешение доступа: Чтобы разрешить доступ, можно сгенерировать модуль локальной политики (см. <a href="http://do Дополнительные сведения: Исходный контекст unconfined_u:system_r:ifconfig_t:s0 Целевой контекст unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Целевые объекты netlink_route_socket [ netlink_route_socket ] Источник ip Путь к источнику /sbin/ip Порт <Неизвестно> Узел (удалено) Исходные пакеты RPM net-tools-1.60-103.fc13 Целевые пакеты RPM RPM политики selinux-policy-3.7.19-51.fc13 SELinux активен True Тип политики targeted Принудительный режим Enforcing Имя доп.модуля leaks Имя узла (удалено) Платформа Linux (удалено) 2.6.34.6-47.fc13.i686.PAE #1 SMP Fri Aug 27 09:29:49 UTC 2010 i686 i686 Счётчик уведомлений 12 Первый замеченный Чтв 09 Сен 2010 19:10:11 Последний замеченный Сбт 11 Сен 2010 09:16:01 Локальный ID d5c89ce0-a187-4dd8-a4e4-e8dd787573af Номера строк Необработанные сообщения ауди node=(удалено) type=AVC msg=audit(1284182161.347:27366): avc: denied { read write } for pid=2449 comm="ifconfig" path="socket:[19226]" dev=sockfs ino=19226 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=(удалено) type=SYSCALL msg=audit(1284182161.347:27366): arch=40000003 syscall=11 success=yes exit=0 a0=853e9e8 a1=853ff30 a2=851a388 a3=853ff30 items=0 ppid=2448 pid=2449 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) Hash String generated from leaks,ip,ifconfig_t,unconfined_t,netlink_route_socket,read,write audit2allow suggests: #============= ifconfig_t ============== allow ifconfig_t unconfined_t:netlink_route_socket { read write };
Have to add ifdef(`hide_broken_symptoms', ` dontaudit ifconfig_t $1:socket_class_set { read write }; ') to the domtrans.
Fixed in selinux-policy-3.7.19-64.fc13
This is with F14, but the report got hashed here. Maybe the release should be included in the hash. Anyway, this happened while using system-config-network to deactivate/activate networking in a configuration without NetworkManager. Summary: SELinux is preventing /sbin/ip access to a leaked netlink_route_socket file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the ip command. It looks like this is either a leaked descriptor or ip output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects netlink_route_socket [ netlink_route_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host (removed) Source RPM Packages iproute-2.6.35-3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux cedar 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Tue 05 Oct 2010 03:14:33 PM PDT Last Seen Tue 05 Oct 2010 03:26:23 PM PDT Local ID 5926c7cc-8bf6-49a7-a372-c436ac5eddf8 Line Numbers Raw Audit Messages node=cedar type=AVC msg=audit(1286317583.754:27501): avc: denied { read write } for pid=7013 comm="ip" path="socket:[194112]" dev=sockfs ino=194112 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=cedar type=SYSCALL msg=audit(1286317583.754:27501): arch=c000003e syscall=59 success=yes exit=0 a0=e3f9f0 a1=dbe800 a2=e6a300 a3=1 items=0 ppid=6996 pid=7013 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
Well we role fixes forward. I you use the lastest F14 policy it should be fixed there also. selinux-policy-3.9.5-10.fc14
Bug 632812 isn't list here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.5-10.fc14 Summary: SELinux is preventing /sbin/ip access to a leaked netlink_route_socket file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the ip command. It looks like this is either a leaked descriptor or ip output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the netlink_route_socket. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects netlink_route_socket [ netlink_route_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host cedar Source RPM Packages iproute-2.6.35-3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-10.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name cedar Platform Linux cedar 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 5 First Seen Tue 05 Oct 2010 03:14:33 PM PDT Last Seen Wed 06 Oct 2010 08:24:34 AM PDT Local ID 5926c7cc-8bf6-49a7-a372-c436ac5eddf8 Line Numbers Raw Audit Messages node=cedar type=AVC msg=audit(1286378674.435:27449): avc: denied { read write } for pid=2490 comm="ip" path="socket:[22895]" dev=sockfs ino=22895 scontext=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=cedar type=SYSCALL msg=audit(1286378674.435:27449): arch=c000003e syscall=59 success=yes exit=0 a0=1a4de60 a1=19cc800 a2=1a78300 a3=8 items=0 ppid=2472 pid=2490 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0-s0:c0.c1023 key=(null)
What tool were you running when this happened? system-config-network?
If you are running system-config-network I think you are seeing the same problem as https://bugzilla.redhat.com/show_bug.cgi?id=640475
(In reply to comment #6) > What tool were you running when this happened? > > system-config-network? Yes, the denials in comment 3 and comment 5 occurred while running system-config-network. The latter was with: initscripts-9.20.1-1.fc14.x86_64 selinux-policy-3.9.5-10.fc14.noarch selinux-policy-targeted-3.9.5-10.fc14.noarch system-config-network-1.6.1-1.fc14.noarch
selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.