816251 – SELinux blocks /bin/ping from read access to dhclient.suspend file on resume from hibernate

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 816251 - SELinux blocks /bin/ping from read access to dhclient.suspend file on resume from hibernate

Summary: SELinux blocks /bin/ping from read access to dhclient.suspend file on resume ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-25 15:59 UTC by gjenkins
Modified:	2013-02-21 08:35 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-156.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 08:35:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0314	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-02-20 20:35:01 UTC

Description gjenkins 2012-04-25 15:59:50 UTC

Description of problem:
SELinux is preventing /bin/ping from read access on the file /var/run/pm-utils/network/dhclient.suspend.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ping should be allowed read access on the dhclient.suspend file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ping /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ping_t:s0-s0:c0.c1023
Target Context                system_u:object_r:hald_var_run_t:s0
Target Objects                /var/run/pm-utils/network/dhclient.suspend [ file
                              ]
Source                        ping
Source Path                   /bin/ping
Port                          <Unknown>
Host                          zorak.local
Source RPM Packages           iputils-20071127-16.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-126.el6_2.10
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     zorak.local
Platform                      Linux zorak.local 2.6.32-220.7.1.el6.x86_64 #1 SMP
                              Fri Feb 10 15:22:22 EST 2012 x86_64 x86_64
Alert Count                   7
First Seen                    Wed 14 Mar 2012 09:10:20 PM CDT
Last Seen                     Wed 25 Apr 2012 08:37:24 AM CDT
Local ID                      37efa722-4372-4d8a-af8e-7adeb58355a2

Raw Audit Messages
type=AVC msg=audit(1335361044.213:3396): avc:  denied  { read } for  pid=19326 comm="ping" path="/var/run/pm-utils/network/dhclient.suspend" dev=dm-0 ino=1966089 scontext=system_u:system_r:ping_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1335361044.213:3396): arch=x86_64 syscall=execve success=yes exit=0 a0=12d8a90 a1=1300aa0 a2=1307b70 a3=50 items=0 ppid=19314 pid=19326 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ping exe=/bin/ping subj=system_u:system_r:ping_t:s0-s0:c0.c1023 key=(null)

Hash: ping,ping_t,hald_var_run_t,file,read

audit2allow

#============= ping_t ==============
allow ping_t hald_var_run_t:file read;

audit2allow -R

#============= ping_t ==============
allow ping_t hald_var_run_t:file read;



Version-Release number of selected component (if applicable):

[root@zorak tmp]# rpm -q selinux-policy
selinux-policy-3.7.19-126.el6_2.10.noarch

How reproducible:
All the time.

Steps to Reproduce:
1. Hibernate
2. Resume
3. Get AVC msg (after a few moments)
  
Actual results:
Get the AVC message

Expected results:
No errors, network resumes

Additional info:

Comment 2 Daniel Walsh 2012-04-27 15:12:00 UTC

This is a leaked file descriptor but should be dontaudited.

Comment 3 gjenkins 2012-04-27 22:15:26 UTC

In the meantime, any objection to me generating the local policy to avoid the message? I can unload it to collect any additional data or to reproduce if needed.

Something does eventually clean up the file (maybe dhclient itself after resuming?). By the time I get a shell opened and try to to look at dhclient.suspend, it is gone.

Comment 4 gjenkins 2012-04-28 00:33:28 UTC

After my previous post, I realized I likely misunderstood Dan's comment #2.

So, to clarify:
- Rather than an using an "allow ...." rule, the correct way is to create a "dontaudit ..." rule.

- The "leaked file descriptor" indicates that it is not selinux misbehaving, but rather revealing poor file behaviour of some other application. (I suspected this was the case.)

Comment 5 gjenkins 2012-04-28 00:44:43 UTC

After some digging to find out how to create a local.pp policy package to avoid the error and AVC message on my system, here is what I did. Please advise if this is not correct or is likely to cause other undesired side-effects.

I created a local.pp policy based on a local.te file containing:

module local 1.0;

require {
	type hald_var_run_t;
	type ping_t;
	class file read;
}

#============= ping_t ==============
dontaudit ping_t hald_var_run_t:file read;



It also appears that an selinux "interface" already exists to handle this scenario. Would this short form also achieve the same result?:

module local 1.1;

require {
	type ping_t;
}

#============= ping_t ==============
hal_dontaudit_read_pid_files(ping_t)

Comment 6 Miroslav Grepl 2012-05-02 08:52:46 UTC

Yes, we need to add

hal_dontaudit_read_pid_files(ping_t)

Comment 12 Daniel Walsh 2012-11-27 15:53:52 UTC

I don't really think this matters.  dontaudit would be better but this access only allows ping to read a leaked file from hald, which probably contains its pid.

Comment 14 errata-xmlrpc 2013-02-21 08:35:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.