Bug 868866 - SELinux is preventing /usr/sbin/fping from 'create' accesses on the rawip_socket .
SELinux is preventing /usr/sbin/fping from 'create' accesses on the rawip_soc...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:8d44b81f68c6f855e8c6c60b04e...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-22 06:26 EDT by Ilkka Tengvall
Modified: 2012-12-20 10:28 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:28:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-22 06:26 EDT, Ilkka Tengvall
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-22 06:26 EDT, Ilkka Tengvall
no flags Details

  None (edit)
Description Ilkka Tengvall 2012-10-22 06:26:27 EDT
Description of problem:
I installed smokeping, and started httpd, and entered webpage http://localhost/smokeping/sm.cgi

Additional info:
libreport version: 2.0.14
kernel:         3.6.1-1.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/fping from 'create' accesses on the rawip_socket .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that fping should be allowed create access on the  rawip_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep fping /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:httpd_smokeping_cgi_script_t:s0
:Target Context                system_u:system_r:httpd_smokeping_cgi_script_t:s0
:Target Objects                 [ rawip_socket ]
:Source                        fping
:Source Path                   /usr/sbin/fping
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           fping-3.0-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-153.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc17.x86_64 #1 SMP Wed Oct
:                              10 12:13:05 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    2012-10-22 13:20:56 EEST
:Last Seen                     2012-10-22 13:20:56 EEST
:Local ID                      cef8cb11-e4b8-419d-8d52-b67ec17d831a
:
:Raw Audit Messages
:type=AVC msg=audit(1350901256.421:6049): avc:  denied  { create } for  pid=9349 comm="fping" scontext=system_u:system_r:httpd_smokeping_cgi_script_t:s0 tcontext=system_u:system_r:httpd_smokeping_cgi_script_t:s0 tclass=rawip_socket
:
:
:type=SYSCALL msg=audit(1350901256.421:6049): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=3 a2=1 a3=7fffae008880 items=0 ppid=9291 pid=9349 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=fping exe=/usr/sbin/fping subj=system_u:system_r:httpd_smokeping_cgi_script_t:s0 key=(null)
:
:Hash: fping,httpd_smokeping_cgi_script_t,httpd_smokeping_cgi_script_t,rawip_socket,create
:
:audit2allow
:
:#============= httpd_smokeping_cgi_script_t ==============
:allow httpd_smokeping_cgi_script_t self:rawip_socket create;
:
:audit2allow -R
:
:#============= httpd_smokeping_cgi_script_t ==============
:allow httpd_smokeping_cgi_script_t self:rawip_socket create;
:
Comment 1 Ilkka Tengvall 2012-10-22 06:26:29 EDT
Created attachment 631387 [details]
File: type
Comment 2 Ilkka Tengvall 2012-10-22 06:26:31 EDT
Created attachment 631388 [details]
File: hashmarkername
Comment 3 Ilkka Tengvall 2012-10-22 06:29:46 EDT
and after allowing that, it continues to nag:


SELinux is preventing /usr/sbin/fping from using the net_raw capability.

Plugin: catchall 
you want to allow fping to have net_raw access on the capabilityIf you believe that fping should have the net_raw capability by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep fping /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 4 Dominick Grift 2012-10-22 07:27:09 EDT
the cgi script needs to be able to run ping in the ping_t domain

Temporary fix:

mkdir mysmokep; cd mysmokep; echo "policy_module(mysmokep, 1.0.0) gen_require(\` type httpd_smokeping_cgi_script_t; ') netutils_domtrans_ping(httpd_smokeping_cgi_script_t)" > mysmokep.te

make -f /usr/share/selinux/devel/Makefile mysmokep.pp

semodule -i mysmokep.pp
Comment 5 Miroslav Grepl 2012-10-22 09:44:35 EDT
added.

commit 49bd3ad0a443459e3acd6ed451f49c724bd66eb0
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Oct 22 15:44:00 2012 +0200

    Allow smokeping to execute fping in the neutils domain
Comment 6 Ilkka Tengvall 2012-10-24 02:39:15 EDT
Just for the record, I had still this one to add after updgrading to selinux-policy-3.10.0-156.fc17.noarch. I hadn't applied your temporary fix, maybe it would've done the same effect.


module mypol.pp 1.0;

require {
	type bin_t;
	type httpd_smokeping_cgi_script_t;
	type smokeping_t;
	type httpd_t;
	class capability net_raw;
	class unix_stream_socket { shutdown ioctl getattr accept };
	class file { read execute open execute_no_trans };
	class rawip_socket create;
}

#============= httpd_smokeping_cgi_script_t ==============
allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown };
#!!!! This avc is allowed in the current policy

allow httpd_smokeping_cgi_script_t self:capability net_raw;
#!!!! This avc is allowed in the current policy

allow httpd_smokeping_cgi_script_t self:rawip_socket create;

#============= smokeping_t ==============
#!!!! This avc is allowed in the current policy
Comment 7 Ilkka Tengvall 2012-10-24 02:48:29 EDT
Just for the record, there is another bug open about this #868893. SELinux doesn't produce any logs into audit.log any longer, but smokeping fcgi page works only if selinux is permissive. weird.
Comment 8 Miroslav Grepl 2012-10-24 05:22:27 EDT
Could you test it with

http://koji.fedoraproject.org/koji/buildinfo?buildID=361848
Comment 9 Ilkka Tengvall 2012-10-24 05:48:36 EDT
thanks, doesn't give errors anymore. But it didn't anymore even without it, I had applied manually the above rules. I can remove my additions if you tell me how :)

The weird thing is that the selinux makes smokeping web page fail, even though it doesn't log anything anymore into audit.log. If I set it to permissive, smokeping fcgi works fine.
Comment 10 Ilkka Tengvall 2012-10-24 05:49:43 EDT
I forgot to mention clearly: So I tried your package from Koji, that is.
Comment 11 Miroslav Grepl 2012-10-24 05:55:46 EDT
Please remove your local policy

# semodule -r mypol
Comment 12 Ilkka Tengvall 2012-10-24 06:05:56 EDT
thanks, I removed the policies using the file from my policy in comment #6.

SELinux won't nag any longer, but somehow it still prevents smokeping from working. setenforce 0 fixes smokeping fcgi.
Comment 13 Miroslav Grepl 2012-10-24 06:10:04 EDT
and are you getting AVC msgs?

# setenforce 1
# setneforce 0

re-test and execute

# ausearch -m avc,user_avc
Comment 14 Fedora Update System 2012-11-06 03:20:01 EST
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 15 Fedora Update System 2012-11-07 21:02:22 EST
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2012-12-20 10:28:25 EST
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.