Bug 689843 - Python ethtool opens NETLINK_ROUTE when loaded which causes leaked descriptor
Summary: Python ethtool opens NETLINK_ROUTE when loaded which causes leaked descriptor
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-ethtool
Version: 14
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Arnaldo Carvalho de Melo
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-22 15:46 UTC by Jan Pazdziora
Modified: 2011-05-05 05:05 UTC (History)
3 users (show)

Fixed In Version: python-ethtool-0.7-2.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-17 21:21:26 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora 2011-03-22 15:46:43 UTC
Description of problem:

When ethtool module is loaded in python script, it opens NETLINK_ROUTE and keeps it open throughtout the live of the script. That filehandle is then leaked to any process forked from this process. That per se is a bad thing as any subprocess can then used it.

Moreover, we've hit this issue with rhnreg_ks which calls

   rc = os.system("/sbin/service rhnsd status > /dev/null")

after importing ethtool, and that causes AVC denial

   avc:  denied  { read write } for  pid=6302 comm="consoletype" path="socket:[304921]" dev=sockfs ino=304921 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket

Note that the problem is not rhnsd here, any service command reveals the issue, as demonstrated below.

Version-Release number of selected component (if applicable):

# rpm -q python-ethtool
python-ethtool-0.6-1.fc14.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have cronie and python-ethtool installed on Fedora 14, make sure you have SELinux enforcing.
2. Run python -c 'import ethtool ; import os ; os.system("service crond status")'
3. Check /var/log/audit/audit.log.
  
Actual results:

avc:  denied  { read write } for  pid=6302 comm="consoletype" path="socket:[304921]" dev=sockfs ino=304921 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=netlink_route_socket

Expected results:

No AVC denial.

Additional info:

The code in python-ethtool/ethtool.c is

/**
 * Connects to the NETLINK interface.  This should only be
 * called once as part of the main ethtool module init.
 *
 * @param nlc Structure which keeps the NETLINK connection handle (struct nl_handle)
 *
 * @return Returns 1 on success, otherwise 0.
 */
int open_netlink(struct nl_handle **nlc)
{
        if( *nlc ) {
                return 0;
        }

        *nlc = nl_handle_alloc();
        nl_connect(*nlc, NETLINK_ROUTE);
        return (*nlc != NULL);
}

and that one is called from PyMODINIT_FUNC initethtool(void).

My feeling is that close-on-exec should be set.

Comment 1 Jan Pazdziora 2011-03-22 15:48:03 UTC
We'd appreciate fixed package (even) for Fedora 14 as it causes AVC denials for Spacewalk client tools on Fedora 14.

Comment 2 David Sommerseth 2011-04-12 09:55:44 UTC
This seems to be fixed by this commit:

commit 508ffffbb3c48eeeb11eeab2bf971180fe4e1940
Author: David Sommerseth <davids>
Date:   Mon Apr 11 16:36:56 2011 +0200

    Only open the NETLINK interface when needed
    
    Do not open a NETLINK connection when loading the module, but rahter
    open it when needed.  In a case where multiple users needs the
    connection, it will be shared and only closed when the last active
    user is done.
    
    Signed-off-by: David Sommerseth <davids>


The reproducing routine results in an AVC denial with python-ethtool-0.6.  When the patch above is added, the AVC is not appearing.

However, the script below will trigger it again:
------------------------------------------------------
import ethtool, os

devs = ethtool.get_interfaces_info('eth0')
eth0 = devs[0]  # this will cause NETLINK conn to stay open, when opened
print eth0      # this will open a NETLINK connection
os.system("service crond status")
del eth0        # this will close the NETLINK connection
------------------------------------------------------

I am not sure if this is a big deal or not.  It is possible to implement a separate function call which will force NETLINK to close.  However, I'm uncertain if this is more a SELinux issue or if it really a python-ethtool issue.  It looks like this just tickles the SELinux in a way which causes the AVC.

Comment 3 David Sommerseth 2011-04-12 12:02:09 UTC
Pushed another commit which should make the reproducer in comment #2 run without producing any AVC situations.

commit 1680cbeb40e76dd975bc8ace756e74771901d607
Author: David Sommerseth <davids>
Date:   Tue Apr 12 13:57:34 2011 +0200

    Force O_CLOEXEC on the NETLINK socket
    
    To avoid that the NETLINK socket is available to forked children,
    set the FD_CLOEXEC flag on the NETLINK socket.  This also avoids
    SELinux from complaining on Fedora 14.
    
    For more information:
    https://bugzilla.redhat.com/show_bug.cgi?id=689843
    
    Signed-off-by: David Sommerseth <davids>

Comment 4 Fedora Update System 2011-04-12 14:57:03 UTC
python-ethtool-0.7-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc15

Comment 5 Fedora Update System 2011-04-12 14:59:58 UTC
python-ethtool-0.7-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc14

Comment 6 Fedora Update System 2011-04-12 15:00:59 UTC
python-ethtool-0.7-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc13

Comment 7 Fedora Update System 2011-04-12 21:25:26 UTC
Package python-ethtool-0.7-1.fc13:
* should fix your issue,
* was pushed to the Fedora 13 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing python-ethtool-0.7-1.fc13'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/python-ethtool-0.7-1.fc13
then log in and leave karma (feedback).

Comment 8 Jan Pazdziora 2011-04-13 08:18:24 UTC
I confirm that package python-ethtool-0.7-1.fc14.x86_64 fixes the issue.

Thank you, Jan

Comment 9 Fedora Update System 2011-04-13 08:31:08 UTC
python-ethtool-0.7-2.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc13

Comment 10 Fedora Update System 2011-04-13 08:32:54 UTC
python-ethtool-0.7-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc14

Comment 11 Fedora Update System 2011-04-13 08:33:40 UTC
python-ethtool-0.7-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc15

Comment 12 Fedora Update System 2011-04-13 20:49:48 UTC
Package python-ethtool-0.7-2.fc13:
* should fix your issue,
* was pushed to the Fedora 13 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing python-ethtool-0.7-2.fc13'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/python-ethtool-0.7-2.fc13
then log in and leave karma (feedback).

Comment 13 Jan Pazdziora 2011-04-14 07:29:18 UTC
I confirm that package python-ethtool-0.7-2.fc14.x86_64 fixes the issue.

Thank you, Jan

Comment 14 Fedora Update System 2011-04-17 21:21:16 UTC
python-ethtool-0.7-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2011-05-05 05:05:23 UTC
python-ethtool-0.7-2.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.