650649 – SELinux is preventing /sbin/ip "read" access on /etc/kdump.conf.

Bug 650649 - SELinux is preventing /sbin/ip "read" access on /etc/kdump.conf.

Summary: SELinux is preventing /sbin/ip "read" access on /etc/kdump.conf.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:7d5bdaff841...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-07 15:51 UTC by Lukas Bezdicka
Modified:	2010-11-21 21:59 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.9.7-12.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-21 21:59:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Bezdicka 2010-11-07 15:51:19 UTC

Summary:

SELinux is preventing /sbin/ip "read" access on /etc/kdump.conf.

Detailed Description:

[ip has a permissive type (ifconfig_t). This access was not denied.]

SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:ifconfig_t:s0
Target Context                system_u:object_r:kdump_etc_t:s0
Target Objects                /etc/kdump.conf [ file ]
Source                        ip
Source Path                   /sbin/ip
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           iproute-2.6.35-5.fc14
Target RPM Packages           kexec-tools-2.0.0-39.fc14.1
Policy RPM                    selinux-policy-3.9.7-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct
                              22 15:36:08 UTC 2010 x86_64 x86_64
Alert Count                   9
First Seen                    Sat 06 Nov 2010 04:21:17 PM CET
Last Seen                     Sun 07 Nov 2010 04:48:35 PM CET
Local ID                      a56eb4d8-29d7-4a49-8de3-b4c8afa10dca
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1289144915.30:214): avc:  denied  { read } for  pid=27029 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=69884 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1289144915.30:214): arch=c000003e syscall=59 success=yes exit=0 a0=1d896f0 a1=1d89710 a2=1d3e6c0 a3=8 items=0 ppid=27028 pid=27029 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)



Hash String generated from  catchall,ip,ifconfig_t,kdump_etc_t,file,read
audit2allow suggests:

#============= ifconfig_t ==============
allow ifconfig_t kdump_etc_t:file read;

Comment 1 Miroslav Grepl 2010-11-08 09:36:45 UTC

Do you know which tool you were using when this happened?

Comment 2 Lukas Bezdicka 2010-11-08 09:43:24 UTC

I installed kdump and system-config-kdump. Then I used gui to setup kdump to dump core over the network to nfs. this avc happend when kdump service is tryiong to create initrd.

Comment 3 Miroslav Grepl 2010-11-08 13:57:47 UTC

Ok, you can ignore this. 


And also does everything work as expect?

Comment 4 Lukas Bezdicka 2010-11-08 14:37:28 UTC

no, kdump fails to create initrd

Comment 5 Miroslav Grepl 2010-11-08 14:40:19 UTC

Ok,
could you try to execute

# semanage permissive -a kdump_t
# semanage permissive -a kdumpgui_t

and then try to re-test it and attach AVC messages which you are seeing.

# ausearch -m avc -ts recent

Comment 6 Fedora Admin XMLRPC Client 2010-11-08 21:53:41 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 7 Fedora Admin XMLRPC Client 2010-11-08 21:55:54 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 8 Fedora Admin XMLRPC Client 2010-11-08 21:56:54 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 9 Lukas Bezdicka 2010-11-09 16:55:58 UTC

looked into it. There's no problem with selinux at all, there is avc but it can be ignored. The gui generates wrong configuration. Option path is ignored by mkdumprd and it actualy needs option net to be in right format, eg. 192.168.1.1:/dump

you can close this, or maybe do something with silencing selinux.

Comment 10 Lukas Bezdicka 2010-11-09 16:57:06 UTC

recent avc:


time->Tue Nov  9 17:53:10 2010
type=SYSCALL msg=audit(1289321590.498:95): arch=c000003e syscall=59 success=yes exit=0 a0=1f2cc00 a1=1f94f10 a2=1f676c0 a3=8 items=0 ppid=26393 pid=26394 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1289321590.498:95): avc:  denied  { read } for  pid=26394 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=76895 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file
----
time->Tue Nov  9 17:53:10 2010
type=SYSCALL msg=audit(1289321590.643:96): arch=c000003e syscall=59 success=yes exit=0 a0=1f98d60 a1=1f94810 a2=1f676c0 a3=8 items=0 ppid=26416 pid=26417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1289321590.643:96): avc:  denied  { read } for  pid=26417 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=76895 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file
----
time->Tue Nov  9 17:53:31 2010
type=SYSCALL msg=audit(1289321611.733:97): arch=c000003e syscall=59 success=yes exit=0 a0=1f89230 a1=1fb6800 a2=1f676c0 a3=8 items=0 ppid=31901 pid=31902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1289321611.733:97): avc:  denied  { read } for  pid=31902 comm="ip" path="/etc/kdump.conf" dev=dm-1 ino=76895 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:kdump_etc_t:s0 tclass=file

Comment 11 Daniel Walsh 2010-11-09 17:01:58 UTC

Well this is a leak by kdump.  It is opening /etc/kdump.conf for read and not closing the file descriptor on exec.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Should close the file descriptor and ifconfig will not generate the AVC.

Comment 12 Neil Horman 2010-11-10 12:09:15 UTC

Dan, the utiltiy which creates the initrd for kdump is a shell script.  How can it be expected to issue a CLOEXEC on a file from a bash shell?

Comment 13 Daniel Walsh 2010-11-10 13:31:09 UTC

Neil, what does the script look like?

foobar < /etc/kdump.conf

Comment 14 Neil Horman 2010-11-10 14:56:23 UTC

its the /sbin/mkdumprd script, you can see it on any Fedora/RHEL system.  But yes, the internals of mkdumprd parse /etc/kdump.conf in the way you describe

Comment 15 Daniel Walsh 2010-11-10 20:39:48 UTC

Miroslav add

ptional_policy(`
	kdump_dontaudit_read_config(ifconfig_t)
')

Comment 16 Miroslav Grepl 2010-11-15 10:01:06 UTC

Added to Fixed in selinux-policy-3.9.7-12.fc14.

Comment 17 Fedora Update System 2010-11-19 13:21:26 UTC

selinux-policy-3.9.7-12.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14

Comment 18 Fedora Update System 2010-11-19 22:39:41 UTC

selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14

Comment 19 Lukas Bezdicka 2010-11-20 17:10:21 UTC

update silenced selinux. thanks a lot

Comment 20 Fedora Update System 2010-11-21 21:57:59 UTC

selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.