741670 – sh (dhcpc_t) is attempting to "execute" to ./iptables (iptables_exec_t)

Bug 741670 - sh (dhcpc_t) is attempting to "execute" to ./iptables (iptables_exec_t)

Summary: sh (dhcpc_t) is attempting to "execute" to ./iptables (iptables_exec_t)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.8
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-27 14:42 UTC by Raymond Rugemalira
Modified:	2012-10-15 14:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-2.4.6-317.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-21 05:48:12 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0158	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-02-20 14:53:50 UTC

Description Raymond Rugemalira 2011-09-27 14:42:40 UTC

Summary:

SELinux is preventing sh (dhcpc_t) "execute" to ./iptables (iptables_exec_t).

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./iptables,

restorecon -v './iptables'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:dhcpc_t
Target Context                system_u:object_r:iptables_exec_t
Target Objects                ./iptables [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bash-3.2-32.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-316.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-274.3.1.el5xen
                              #1 SMP Fri Aug 26 19:08:58 EDT 2011 x86_64 x86_64
Alert Count                   384
First Seen                    Mon 22 Aug 2011 11:57:23 AM PDT
Last Seen                     Tue 27 Sep 2011 05:26:50 AM PDT
Local ID                      4a813ab8-d0cc-43e3-93c0-b506259979c9
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1317126410.221:9934): avc:  denied  { execute } for  pid=14511 comm="sh" name="iptables" dev=dm-0 ino=196608185 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1317126410.221:9934): arch=c000003e syscall=59 success=no exit=-13 a0=1a1b60c0 a1=1a1b61d0 a2=1a19fdb0 a3=8 items=0 ppid=14510 pid=14511 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)

Comment 1 Raymond Rugemalira 2011-09-27 14:46:05 UTC

I have run restorecon -v '/etc/init.d/iptable' '/sbin/iptables' to no avail.
I do not want to switch selinux off

Comment 2 Miroslav Grepl 2011-09-29 05:40:42 UTC

I am addding

optional_policy(`
    tunable_policy(`dhcpc_exec_iptables',`
        iptables_domtrans(dhcpc_t)
    ')
')

which we have in RHEL6. Which will allow it using

dhcpc_exec_iptables boolean

Comment 3 Miroslav Grepl 2011-09-29 11:22:35 UTC

Fixed in selinux-policy-2.4.6-317.el5

Comment 4 Raymond Rugemalira 2011-09-29 14:42:27 UTC

(In reply to comment #3)
> Fixed in selinux-policy-2.4.6-317.el5

Below is what I get when I run yum update selinux-policy-2.4.6-317.el5
Kindly instruct what to do.

# yum update selinux-policy-2.4.6-317.el5
Loaded plugins: product-id, rhnplugin, security, subscription-manager
Updating Red Hat repositories.
Skipping security plugin, no data
Setting up Update Process
No Match for argument: selinux-policy-2.4.6-317.el5
No package selinux-policy-2.4.6-317.el5 available.
No Packages marked for Update

Comment 5 Miroslav Grepl 2011-09-29 14:52:12 UTC

Yes, because this is a pre-release which is not available on rhn.

Comment 6 Raymond Rugemalira 2011-09-29 15:10:34 UTC

(In reply to comment #5)
> Yes, because this is a pre-release which is not available on rhn.

You are being pretty criptic with me. Could you clarify where to get the pre-release so I can rectify the error? Where is the pre-release package?

Comment 7 Miroslav Grepl 2011-09-29 15:20:46 UTC

This pre-release is now available from

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Comment 8 Karel Srot 2011-10-06 14:02:06 UTC

Hi Raymond,
could you please confirm that the issue is fixed with selinux-policy-2.4.6-317.el5? Thank you in advance.

Comment 9 Raymond Rugemalira 2011-10-06 19:09:58 UTC

I installed the pre-release version ofselinux-policy-2.4.6-317.el5 from 
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ to no avail.The problem was not solved.

Comment 10 Miroslav Grepl 2011-10-07 07:32:08 UTC

You need to turn on the dhcpc_exec_iptables boolean.

setsebool -P dhcpc_exec_iptables 1

Comment 11 Raymond Rugemalira 2011-10-07 17:00:58 UTC

# setsebool -P dhcpc_exec_iptables 1
libsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean dhcpc_exec_iptables
Could not change policy booleans

Comment 12 Daniel Walsh 2011-10-07 17:06:45 UTC

rpm -q selinux-policy

Comment 15 errata-xmlrpc 2012-02-21 05:48:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html

Note You need to log in before you can comment on or make changes to this bug.