Bug 890699 - SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/bin/kmod.
Summary: SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:0ad27d71068dccfc1a06ed97e85...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-28 21:55 UTC by Ian Pilcher
Modified: 2013-01-23 01:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-23 01:54:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ian Pilcher 2012-12-28 21:55:09 UTC 
Description of problem:
SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/bin/kmod.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the kmod file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ovs-ctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0
Target Context                system_u:object_r:insmod_exec_t:s0
Target Objects                /usr/bin/kmod [ file ]
Source                        ovs-ctl
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.2.39-3.fc18.x86_64
Target RPM Packages           kmod-10-1.fc18.x86_64
Policy RPM                    selinux-policy-3.11.1-66.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.6.10-4.fc18.x86_64 #1 SMP Tue
                              Dec 11 18:01:27 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    2012-12-28 15:45:09 CST
Last Seen                     2012-12-28 15:52:04 CST
Local ID                      30f37de9-4fc5-45ac-aa9b-7c2c2034c620

Raw Audit Messages
type=AVC msg=audit(1356731524.782:21): avc:  denied  { getattr } for  pid=1881 comm="ovs-ctl" path="/usr/bin/kmod" dev="dm-0" ino=1724555 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1356731524.782:21): arch=x86_64 syscall=stat success=yes exit=0 a0=133d650 a1=7fff1d274e70 a2=7fff1d274e70 a3=f items=0 ppid=1879 pid=1881 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null)

Hash: ovs-ctl,openvswitch_t,insmod_exec_t,file,getattr

audit2allow
audit2allow -R

Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.10-4.fc18.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2013-01-02 11:28:59 UTC 
Does ovs-ctl execute kmod? Are you getting more AVC msgs?

Could you re-test it and execute

# ausearch -m avc -ts recent


Thank you.
Comment 2 Ian Pilcher 2013-01-02 15:51:56 UTC 
The large majority of the kmod-related AVCs seem to occur when the Open vSwitch daemon starts.  I just rebooted with the daemon (and all bridges) disabled, and starting ovs-vswitchd manually (sudo systemctl start openvswitch.service) gave me the following:

type=AVC msg=audit(1357140555.479:49): avc:  denied  { getattr } for  pid=2009 comm="ovs-ctl" path="/usr/bin/kmod" dev="dm-0" ino=1724555 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.479:49): arch=c000003e syscall=4 success=yes exit=0 a0=1fb1650 a1=7fff870a7b10 a2=7fff870a7b10 a3=f items=0 ppid=2008 pid=2009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-ctl" exe="/usr/bin/bash" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.479:50): avc:  denied  { execute } for  pid=2009 comm="ovs-ctl" name="kmod" dev="dm-0" ino=1724555 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.479:50): arch=c000003e syscall=21 success=yes exit=0 a0=1fb1650 a1=1 a2=7fff870a7a50 a3=f items=0 ppid=2008 pid=2009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-ctl" exe="/usr/bin/bash" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.479:51): avc:  denied  { read } for  pid=2009 comm="ovs-ctl" name="kmod" dev="dm-0" ino=1724555 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.479:51): arch=c000003e syscall=21 success=yes exit=0 a0=1fb1650 a1=4 a2=7fff870a7a50 a3=f items=0 ppid=2008 pid=2009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-ctl" exe="/usr/bin/bash" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.479:52): avc:  denied  { open } for  pid=2115 comm="ovs-ctl" path="/usr/bin/kmod" dev="dm-0" ino=1724555 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1357140555.479:52): avc:  denied  { execute_no_trans } for  pid=2115 comm="ovs-ctl" path="/usr/bin/kmod" dev="dm-0" ino=1724555 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.479:52): arch=c000003e syscall=59 success=yes exit=0 a0=1fb1650 a1=1f5bc70 a2=1fa86e0 a3=18 items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.480:53): avc:  denied  { getattr } for  pid=2115 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=131080 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1357140555.480:53): arch=c000003e syscall=4 success=yes exit=0 a0=3e9860f98f a1=7fff9d163e10 a2=7fff9d163e10 a3=365f3638782e3831 items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.480:54): avc:  denied  { read } for  pid=2115 comm="modprobe" name="modprobe.d" dev="dm-0" ino=131080 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1357140555.480:54): avc:  denied  { open } for  pid=2115 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=131080 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1357140555.480:54): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=3e9860f98f a2=90800 a3=0 items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.480:55): avc:  denied  { search } for  pid=2115 comm="modprobe" name="modprobe.d" dev="dm-0" ino=131080 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1357140555.480:55): avc:  denied  { getattr } for  pid=2115 comm="modprobe" path="/etc/modprobe.d/udlfb.conf" dev="dm-0" ino=140487 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.480:55): arch=c000003e syscall=262 success=yes exit=0 a0=3 a1=7fff9d163f43 a2=7fff9d163ea0 a3=0 items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.480:56): avc:  denied  { getattr } for  pid=2115 comm="modprobe" path="/etc/modprobe.d/kvm-intel.conf" dev="dm-0" ino=131082 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.480:56): arch=c000003e syscall=262 success=yes exit=0 a0=3 a1=7fff9d163f43 a2=7fff9d163ea0 a3=0 items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.480:57): avc:  denied  { read } for  pid=2115 comm="modprobe" name="blacklist.conf" dev="dm-0" ino=131081 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1357140555.480:57): avc:  denied  { open } for  pid=2115 comm="modprobe" path="/etc/modprobe.d/blacklist.conf" dev="dm-0" ino=131081 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.480:57): arch=c000003e syscall=2 success=yes exit=3 a0=7fff9d163f30 a1=80000 a2=7fff9d163f4e a3=e items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.480:58): avc:  denied  { read } for  pid=2115 comm="modprobe" name="kvm-intel.conf" dev="dm-0" ino=131082 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1357140555.480:58): avc:  denied  { open } for  pid=2115 comm="modprobe" path="/etc/modprobe.d/kvm-intel.conf" dev="dm-0" ino=131082 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.480:58): arch=c000003e syscall=2 success=yes exit=3 a0=7fff9d163f30 a1=80000 a2=7fff9d163f4e a3=e items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.481:59): avc:  denied  { search } for  pid=2115 comm="modprobe" name="modules" dev="dm-0" ino=1703971 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir
type=AVC msg=audit(1357140555.481:59): avc:  denied  { read } for  pid=2115 comm="modprobe" name="modules.dep.bin" dev="dm-0" ino=1842811 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1357140555.481:59): avc:  denied  { open } for  pid=2115 comm="modprobe" path="/usr/lib/modules/3.6.10-4.fc18.x86_64/modules.dep.bin" dev="dm-0" ino=1842811 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.481:59): arch=c000003e syscall=2 success=yes exit=3 a0=7fff9d163fa0 a1=80000 a2=6ce170 a3=20 items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1357140555.481:60): avc:  denied  { getattr } for  pid=2115 comm="modprobe" path="/usr/lib/modules/3.6.10-4.fc18.x86_64/modules.dep.bin" dev="dm-0" ino=1842811 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=SYSCALL msg=audit(1357140555.481:60): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff9d163ec0 a2=7fff9d163ec0 a3=20 items=0 ppid=2009 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:openvswitch_t:s0 key=(null)

I also see denials when shutting down VMs:

type=AVC msg=audit(1357139193.951:4444): avc:  denied  { module_request } for  pid=1584 comm="ovs-vswitchd" kmod="netdev-vnet13" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1357139193.951:4444): arch=c000003e syscall=16 success=no exit=-19 a0=10 a1=8913 a2=7fff99c842d0 a3=ffffffff items=0 ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429 subj=system_u:system_r:openvswitch_t:s0 key=(null)

These are not 100% consistent, however.  I just shut down a VM with 4 Open vSwitch VNICs, and I only received two of these messages.  Then I shut down a different 4-VNIC VM, and saw no denials at all.

I have not seen any kmod-related AVCs when running ovs-vsctl directly.  The other denials I'm getting are the netlink socket-related ones in bug 890762.
Comment 3 Ian Pilcher 2013-01-02 15:54:24 UTC 
One other thing, that I should probably state explicitly, is that all of my bridges appear to be working just fine.  In fact, you can see that many of the AVC-generating system calls are succeeding, even though the system is in enforcing mode.
Comment 4 Daniel Walsh 2013-01-02 19:04:54 UTC 
That is probably because openvswich_t is a permissive domain.

Looks like it is just scanning for loaded modules and then asking the kernel to load them.

I just added these rules to F19 policy.  Miroslav please back port.
Comment 5 Miroslav Grepl 2013-01-03 09:07:22 UTC 
Added to selinux-policy-3.11.1-70.fc18
Comment 6 Fedora Update System 2013-01-15 22:19:27 UTC 
selinux-policy-3.11.1-71.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-71.fc18
Comment 7 Fedora Update System 2013-01-18 20:40:07 UTC 
Package selinux-policy-3.11.1-71.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-71.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0945/selinux-policy-3.11.1-71.fc18
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-01-23 01:54:36 UTC 
selinux-policy-3.11.1-71.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.