Bug 727648 - shorewall denials
Summary: shorewall denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: shorewall
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jonathan Underwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-02 18:06 UTC by Orion Poplawski
Modified: 2011-09-07 00:23 UTC (History)
4 users (show)

Fixed In Version: shorewall-4.4.22.3-2.fc15.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-07 00:23:02 UTC


Attachments (Terms of Use)
shorewall audit messages (38.38 KB, text/x-log)
2011-08-02 18:06 UTC, Orion Poplawski
no flags Details

Description Orion Poplawski 2011-08-02 18:06:55 UTC
Created attachment 516374 [details]
shorewall audit messages

Description of problem:

I'm seeing lots of denials for shorewall in /var/log/audit/audit.log


Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-35.fc15.noarch
shorewall-4.4.19.4-1.fc15.noarch

Comment 1 Daniel Walsh 2011-08-02 20:24:39 UTC
Looks to me like this is a leak.

Shorewall should be fcntl(fd, F_SETFD, FD_CLOEXEC) before execing ip.

Comment 2 Orion Poplawski 2011-08-02 20:57:41 UTC
Hmm, this could be interesting as it is written in perl.

Comment 3 Orion Poplawski 2011-08-02 21:11:12 UTC
I also think that there are probably several issues here.  But let's start with:

type=AVC msg=audit(1309215107.365:5504): avc:  denied  { read } for pid=18691 comm="ip" path="/var/lib/shorewall/proxyarp" dev=dm-1 ino=386 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:shorewall_var_lib_t:s0 tclass=file

This probably comes from the following shell code:

qt()
{
    "$@" >/dev/null 2>&1                                 
}
        while read address interface external haveroute; do
            qt $IP -4 neigh del proxy $address dev $external
            [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
            f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
            [ -f $f ] && echo 0 > $f
        done < ${VARDIR}/proxyarp

I suppose there could be a qt() that closes stdin.  Dan, has this come up before with shell scripts?  Could this be an issue with bash?  Arguably the commands in the loop shouldn't have access to what the while loop is reading.

Comment 4 Orion Poplawski 2011-08-02 22:03:09 UTC
# while read x 
> do
> lsof > /tmp/lsof
> done < /var/lib/shorewall/proxyarp 
# grep lsof /tmp/lsof
lsof      19042          root    0r      REG      253,1       144        247 /var/lib/shorewall/proxyarp

So every command in the while loop inherits the stdin.  I imagine that this is actually expected behavior, so I think we need to "< /dev/null" these commands.

Comment 5 Daniel Walsh 2011-08-03 15:28:56 UTC
Yes it has come up before, and sadly we don't have a good fix...  Not something we really can fix in bash.

qt()
{
    "$@" >/dev/null 2>&1 < /dev/null                                
}

Would probably fix the problem.

Comment 6 Fedora Update System 2011-08-11 17:48:25 UTC
shorewall-4.4.22-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/shorewall-4.4.22-2.fc15

Comment 7 Fedora Update System 2011-08-12 10:58:35 UTC
Package shorewall-4.4.22-2.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shorewall-4.4.22-2.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/shorewall-4.4.22-2.fc15
then log in and leave karma (feedback).

Comment 8 Orion Poplawski 2011-08-12 14:56:00 UTC
That actually appears to have taken care of most of the denials.  Now all I get is:

type=AVC msg=audit(1313160354.091:15710): avc:  denied  { search } for  pid=29551 comm="logger" name="sss" dev=dm-1 ino=574 scontext=system_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

shorewall calls logger to indicate start/stop events.  Not sure what it is trying to do with /var/lib/sss though.

Comment 9 Daniel Walsh 2011-08-15 11:37:48 UTC
Probably calling getpw* .

Comment 10 Daniel Walsh 2011-08-15 11:39:13 UTC
Miroslav lets add

auth_use_nsswitch(shorewall_t)

Comment 11 Miroslav Grepl 2011-08-22 07:14:33 UTC
Fixed in selinux-policy-3.9.16-39.fc15

Comment 12 Fedora Update System 2011-08-22 15:41:24 UTC
shorewall-4.4.22.3-2.fc15.1 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/shorewall-4.4.22.3-2.fc15.1

Comment 13 Fedora Update System 2011-08-23 04:30:21 UTC
Package shorewall-4.4.22.3-2.fc15.1:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shorewall-4.4.22.3-2.fc15.1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/shorewall-4.4.22.3-2.fc15.1
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2011-09-07 00:22:48 UTC
shorewall-4.4.22.3-2.fc15.1 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.