Summary: SELinux is preventing /sbin/ip "read" access on /etc/kdump.conf. Detailed Description: [ip has a permissive type (ifconfig_t). This access was not denied.] SELinux denied access requested by ip. It is not expected that this access is required by ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:kdump_etc_t:s0 Target Objects /etc/kdump.conf [ file ] Source ip Source Path /sbin/ip Port <Unknown> Host (removed) Source RPM Packages iproute-2.6.35-5.fc14 Target RPM Packages kexec-tools-2.0.0-39.fc14.1 Policy RPM selinux-policy-3.9.7-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 Alert Count 9 First Seen Sat 06 Nov 2010 04:21:17 PM CET Last Seen Sun 07 Nov 2010 04:48:35 PM CET Local ID a56eb4d8-29d7-4a49-8de3-b4c8afa10dca Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1289144915.30:214): avc: denied { read } for pid=27029 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=69884 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1289144915.30:214): arch=c000003e syscall=59 success=yes exit=0 a0=1d896f0 a1=1d89710 a2=1d3e6c0 a3=8 items=0 ppid=27028 pid=27029 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash String generated from catchall,ip,ifconfig_t,kdump_etc_t,file,read audit2allow suggests: #============= ifconfig_t ============== allow ifconfig_t kdump_etc_t:file read;
Do you know which tool you were using when this happened?
I installed kdump and system-config-kdump. Then I used gui to setup kdump to dump core over the network to nfs. this avc happend when kdump service is tryiong to create initrd.
Ok, you can ignore this. And also does everything work as expect?
no, kdump fails to create initrd
Ok, could you try to execute # semanage permissive -a kdump_t # semanage permissive -a kdumpgui_t and then try to re-test it and attach AVC messages which you are seeing. # ausearch -m avc -ts recent
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
looked into it. There's no problem with selinux at all, there is avc but it can be ignored. The gui generates wrong configuration. Option path is ignored by mkdumprd and it actualy needs option net to be in right format, eg. 192.168.1.1:/dump you can close this, or maybe do something with silencing selinux.
recent avc: time->Tue Nov 9 17:53:10 2010 type=SYSCALL msg=audit(1289321590.498:95): arch=c000003e syscall=59 success=yes exit=0 a0=1f2cc00 a1=1f94f10 a2=1f676c0 a3=8 items=0 ppid=26393 pid=26394 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1289321590.498:95): avc: denied { read } for pid=26394 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=76895 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file ---- time->Tue Nov 9 17:53:10 2010 type=SYSCALL msg=audit(1289321590.643:96): arch=c000003e syscall=59 success=yes exit=0 a0=1f98d60 a1=1f94810 a2=1f676c0 a3=8 items=0 ppid=26416 pid=26417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1289321590.643:96): avc: denied { read } for pid=26417 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=76895 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file ---- time->Tue Nov 9 17:53:31 2010 type=SYSCALL msg=audit(1289321611.733:97): arch=c000003e syscall=59 success=yes exit=0 a0=1f89230 a1=1fb6800 a2=1f676c0 a3=8 items=0 ppid=31901 pid=31902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1289321611.733:97): avc: denied { read } for pid=31902 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=76895 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file
Well this is a leak by kdump. It is opening /etc/kdump.conf for read and not closing the file descriptor on exec. fcntl(fd, F_SETFD, FD_CLOEXEC) Should close the file descriptor and ifconfig will not generate the AVC.
Dan, the utiltiy which creates the initrd for kdump is a shell script. How can it be expected to issue a CLOEXEC on a file from a bash shell?
Neil, what does the script look like? foobar < /etc/kdump.conf
its the /sbin/mkdumprd script, you can see it on any Fedora/RHEL system. But yes, the internals of mkdumprd parse /etc/kdump.conf in the way you describe
Miroslav add ptional_policy(` kdump_dontaudit_read_config(ifconfig_t) ')
Added to Fixed in selinux-policy-3.9.7-12.fc14.
selinux-policy-3.9.7-12.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14
selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14
update silenced selinux. thanks a lot
selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.