Bug 702291 - SELinux is preventing /sbin/ip from using the 'sys_module' capabilities.
Summary: SELinux is preventing /sbin/ip from using the 'sys_module' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:9570fb1d7d4...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-05 10:01 UTC by Simone Deponti
Modified: 2011-08-08 20:20 UTC (History)
25 users (show)

Fixed In Version: selinux-policy-3.9.16-24.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-25 03:29:48 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Simone Deponti 2011-05-05 10:01:47 UTC 
SELinux is preventing /sbin/ip from using the 'sys_module' capabilities.

*****  Plugin sys_module (99.5 confidence) suggests  *************************

If you do not believe that /sbin/ip should be attempting to modify the kernel by loading a kernel module.
Then a process might be attempting to hack into your system.
Do
contact your security administrator and report this issue.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that ip should have the sys_module capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ip /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ifconfig_t:s0
Target Context                system_u:system_r:ifconfig_t:s0
Target Objects                Unknown [ capability ]
Source                        ip
Source Path                   /sbin/ip
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           iproute-2.6.38.1-3.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-21.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.5-22.fc15.x86_64 #1
                              SMP Mon May 2 19:28:55 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 05 May 2011 11:58:57 AM CEST
Last Seen                     Thu 05 May 2011 11:58:57 AM CEST
Local ID                      f03cec81-f582-4a12-bb9a-f5a02bdbe4e3

Raw Audit Messages
type=AVC msg=audit(1304589537.935:50): avc:  denied  { sys_module } for  pid=1426 comm="ip" capability=16  scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=capability


type=SYSCALL msg=audit(1304589537.935:50): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=4 a1=8933 a2=7fff79279c70 a3=f items=0 ppid=1423 pid=1426 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null)

Hash: ip,ifconfig_t,ifconfig_t,capability,sys_module

audit2allow

#============= ifconfig_t ==============
allow ifconfig_t self:capability sys_module;

audit2allow -R

#============= ifconfig_t ==============
allow ifconfig_t self:capability sys_module;
Comment 1 Simone Deponti 2011-05-05 10:06:10 UTC 
This was just after a reboot following an update. I don't know whether this is a policy problem or a problem in /sbin/ip, but I strongly suspect the former (/sbin/ip might want to load crypto-related modules?).

% sudo yum list installed "selinux*"
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
selinux-policy.noarch                   3.9.16-21.fc15          @updates-testing
selinux-policy-targeted.noarch          3.9.16-21.fc15          @updates-testing
Comment 2 Gene Snider 2011-05-05 18:15:32 UTC 
I get this bug when resuming from suspend.

Gene
Comment 3 Miroslav Grepl 2011-05-06 05:25:49 UTC 
Fxed in selinux-policy-3.9.16-23.fc15
Comment 4 Scotty Delicious 2011-05-07 14:49:53 UTC 
I also get this bug when resuming from suspend.
Comment 5 Scotty Delicious 2011-05-07 15:06:19 UTC 
(In reply to comment #4)
> I also get this bug when resuming from suspend.

After reading the comment from Miroslav Grepl and then looking at my installed version, it seems that I am still on 3.9.16-21.fc15. I suppose the next time yum updates, this will be fixed. I ran an update check this morning but there were no new packages.
Comment 6 Simone Deponti 2011-05-07 15:41:24 UTC 
(In reply to comment #5)
> it seems that I am still on 3.9.16-21.fc15. I suppose the next time
> yum updates, this will be fixed. I ran an update check this morning but there
> were no new packages.

I did exactly the same. However, funnily enough, google searching for that package brings up results related to Chrome. Is that package in updates-testing or only in koji?
Comment 7 Simone Deponti 2011-05-07 15:55:01 UTC 
It seems to be mirror-related, as the Italian mirror seems to be stuck at 3 days ago.
Comment 8 Steve Tyler 2011-05-07 16:46:49 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > I also get this bug when resuming from suspend.
> 
> After reading the comment from Miroslav Grepl and then looking at my installed
> version, it seems that I am still on 3.9.16-21.fc15. I suppose the next time
> yum updates, this will be fixed. I ran an update check this morning but there
> were no new packages.

selinux-policy-3.9.16-23.fc15 hasn't been pushed to the repos. 
If you want to test the new version, it is here:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-23.fc15
Comment 9 Steve Tyler 2011-05-07 17:02:06 UTC 
bodhi - 2011-05-07 15:08:02
This update has been pushed to testing
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-23.fc15
Comment 10 marian 2011-05-07 19:34:49 UTC 
On my sistem after remove puseaudio this bug not appear.
Comment 11 Fedora Update System 2011-05-17 16:11:53 UTC 
selinux-policy-3.9.16-24.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15
Comment 12 Fedora Update System 2011-05-18 18:40:36 UTC 
Package selinux-policy-3.9.16-24.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-24.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15
then log in and leave karma (feedback).
Comment 13 marian 2011-05-21 09:17:49 UTC 
Yes i'm almost repositories enabled.
Comment 14 Fedora Update System 2011-05-25 03:28:54 UTC 
selinux-policy-3.9.16-24.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Hicham HAOUARI 2011-07-19 16:18:27 UTC 
what about f14 ?
Comment 16 Miroslav Grepl 2011-07-25 11:18:47 UTC 
Fixed in selinux-policy-3.9.7-44.fc14
Note You need to log in before you can comment on or make changes to this bug.