Description of problem: When ethtool module is loaded in python script, it opens NETLINK_ROUTE and keeps it open throughtout the live of the script. That filehandle is then leaked to any process forked from this process. That per se is a bad thing as any subprocess can then used it. Moreover, we've hit this issue with rhnreg_ks which calls rc = os.system("/sbin/service rhnsd status > /dev/null") after importing ethtool, and that causes AVC denial avc: denied { read write } for pid=6302 comm="consoletype" path="socket:[304921]" dev=sockfs ino=304921 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket Note that the problem is not rhnsd here, any service command reveals the issue, as demonstrated below. Version-Release number of selected component (if applicable): # rpm -q python-ethtool python-ethtool-0.6-1.fc14.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have cronie and python-ethtool installed on Fedora 14, make sure you have SELinux enforcing. 2. Run python -c 'import ethtool ; import os ; os.system("service crond status")' 3. Check /var/log/audit/audit.log. Actual results: avc: denied { read write } for pid=6302 comm="consoletype" path="socket:[304921]" dev=sockfs ino=304921 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket Expected results: No AVC denial. Additional info: The code in python-ethtool/ethtool.c is /** * Connects to the NETLINK interface. This should only be * called once as part of the main ethtool module init. * * @param nlc Structure which keeps the NETLINK connection handle (struct nl_handle) * * @return Returns 1 on success, otherwise 0. */ int open_netlink(struct nl_handle **nlc) { if( *nlc ) { return 0; } *nlc = nl_handle_alloc(); nl_connect(*nlc, NETLINK_ROUTE); return (*nlc != NULL); } and that one is called from PyMODINIT_FUNC initethtool(void). My feeling is that close-on-exec should be set.
We'd appreciate fixed package (even) for Fedora 14 as it causes AVC denials for Spacewalk client tools on Fedora 14.
This seems to be fixed by this commit: commit 508ffffbb3c48eeeb11eeab2bf971180fe4e1940 Author: David Sommerseth <davids> Date: Mon Apr 11 16:36:56 2011 +0200 Only open the NETLINK interface when needed Do not open a NETLINK connection when loading the module, but rahter open it when needed. In a case where multiple users needs the connection, it will be shared and only closed when the last active user is done. Signed-off-by: David Sommerseth <davids> The reproducing routine results in an AVC denial with python-ethtool-0.6. When the patch above is added, the AVC is not appearing. However, the script below will trigger it again: ------------------------------------------------------ import ethtool, os devs = ethtool.get_interfaces_info('eth0') eth0 = devs[0] # this will cause NETLINK conn to stay open, when opened print eth0 # this will open a NETLINK connection os.system("service crond status") del eth0 # this will close the NETLINK connection ------------------------------------------------------ I am not sure if this is a big deal or not. It is possible to implement a separate function call which will force NETLINK to close. However, I'm uncertain if this is more a SELinux issue or if it really a python-ethtool issue. It looks like this just tickles the SELinux in a way which causes the AVC.
Pushed another commit which should make the reproducer in comment #2 run without producing any AVC situations. commit 1680cbeb40e76dd975bc8ace756e74771901d607 Author: David Sommerseth <davids> Date: Tue Apr 12 13:57:34 2011 +0200 Force O_CLOEXEC on the NETLINK socket To avoid that the NETLINK socket is available to forked children, set the FD_CLOEXEC flag on the NETLINK socket. This also avoids SELinux from complaining on Fedora 14. For more information: https://bugzilla.redhat.com/show_bug.cgi?id=689843 Signed-off-by: David Sommerseth <davids>
python-ethtool-0.7-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc15
python-ethtool-0.7-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc14
python-ethtool-0.7-1.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc13
Package python-ethtool-0.7-1.fc13: * should fix your issue, * was pushed to the Fedora 13 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing python-ethtool-0.7-1.fc13' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc13 then log in and leave karma (feedback).
I confirm that package python-ethtool-0.7-1.fc14.x86_64 fixes the issue. Thank you, Jan
python-ethtool-0.7-2.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc13
python-ethtool-0.7-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc14
python-ethtool-0.7-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc15
Package python-ethtool-0.7-2.fc13: * should fix your issue, * was pushed to the Fedora 13 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing python-ethtool-0.7-2.fc13' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc13 then log in and leave karma (feedback).
I confirm that package python-ethtool-0.7-2.fc14.x86_64 fixes the issue. Thank you, Jan
python-ethtool-0.7-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
python-ethtool-0.7-2.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.