Bug 855314 - Saving ebtables is blocked when unconfined module is disabled
Saving ebtables is blocked when unconfined module is disabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-07 07:33 EDT by Michal Trunecka
Modified: 2014-09-30 19:33 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-162.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:28:57 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2012-09-07 07:33:28 EDT
Description of problem:
"service ebtables save" is blocked with unconfined module disabled. The test PASSed with no AVCs with both mentioned modules enabled. The AVC messages are following:

----
time->Fri Sep  7 13:27:46 2012
type=PATH msg=audit(1347017266.300:1186): item=1 name="/etc/sysconfig/ebtables.nat.save" inode=148046 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:system_conf_t:s0
type=PATH msg=audit(1347017266.300:1186): item=0 name="/etc/sysconfig/" inode=129796 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1347017266.300:1186):  cwd="/"
type=SYSCALL msg=audit(1347017266.300:1186): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=d990c0 a2=0 a3=20 items=2 ppid=7114 pid=7126 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="rm" exe="/bin/rm" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347017266.300:1186): avc:  denied  { unlink } for  pid=7126 comm="rm" name="ebtables.nat.save" dev=sda3 ino=148046 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:system_conf_t:s0 tclass=file
----
time->Fri Sep  7 13:27:46 2012
type=PATH msg=audit(1347017266.314:1187): item=0 name="/etc/sysconfig/ebtables.nat" inode=148040 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:system_conf_t:s0
type=CWD msg=audit(1347017266.314:1187):  cwd="/"
type=SYSCALL msg=audit(1347017266.314:1187): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=9040f0 a2=180 a3=0 items=1 ppid=7114 pid=7132 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chmod" exe="/bin/chmod" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347017266.314:1187): avc:  denied  { setattr } for  pid=7132 comm="chmod" name="ebtables.nat" dev=sda3 ino=148040 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:system_conf_t:s0 tclass=file
----
time->Fri Sep  7 13:27:46 2012
type=PATH msg=audit(1347017266.315:1188): item=3 name="/etc/sysconfig/ebtables.nat.save" inode=148040 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:system_conf_t:s0
type=PATH msg=audit(1347017266.315:1188): item=2 name="/etc/sysconfig/ebtables.nat" inode=148040 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:system_conf_t:s0
type=PATH msg=audit(1347017266.315:1188): item=1 name="/etc/sysconfig/" inode=129796 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=PATH msg=audit(1347017266.315:1188): item=0 name="/etc/sysconfig/" inode=129796 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(1347017266.315:1188):  cwd="/"
type=SYSCALL msg=audit(1347017266.315:1188): arch=c000003e syscall=82 success=yes exit=0 a0=7fffe2b06f5c a1=7fffe2b06f78 a2=0 a3=2 items=4 ppid=7114 pid=7133 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347017266.315:1188): avc:  denied  { rename } for  pid=7133 comm="mv" name="ebtables.nat" dev=sda3 ino=148040 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:system_conf_t:s0 tclass=file


Version-Release number of selected component (if applicable):
ebtables-2.0.9-6.el6.x86_64
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
selinux-policy-mls-3.7.19-155.el6_3.noarch

How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. service ebtables start; service ebtables save
  
Actual results:
ebtables are not saved

Expected results:
ebtables saved, without any AVC
Comment 2 Miroslav Grepl 2012-09-11 02:15:59 EDT
Added 

files_manage_system_conf_files(initrc_t)

which we have in Fedora.
Comment 6 errata-xmlrpc 2013-02-21 03:28:57 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.