Description of problem: I don't have any inputs as I have not been using it explicetly. My setup is a simple single computer with DSL. SELinux is preventing /usr/sbin/ladvd from 'read' accesses on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ladvd should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ladvd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ladvd_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source ladvd Source Path /usr/sbin/ladvd Port <Unknown> Host (removed) Source RPM Packages ladvd-1.0.4-2.fc18.i686 Target RPM Packages setup-2.8.57-1.fc18.noarch Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.5-201.fc18.i686 #1 SMP Tue Jun 11 20:33:48 UTC 2013 i686 i686 Alert Count 16 First Seen 2013-05-19 17:21:10 IST Last Seen 2013-06-20 01:04:40 IST Local ID a00ecba3-7fb6-4ac1-9928-ef6d1cfe04fe Raw Audit Messages type=AVC msg=audit(1371670480.996:25): avc: denied { read } for pid=687 comm="ladvd" name="passwd" dev="sda3" ino=2091098 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1371670480.996:25): arch=i386 syscall=open success=no exit=EACCES a0=b7453ef5 a1=80000 a2=1b6 a3=b96ace40 items=0 ppid=1 pid=687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:ladvd_t:s0 key=(null) Hash: ladvd,ladvd_t,passwd_file_t,file,read audit2allow #============= ladvd_t ============== allow ladvd_t passwd_file_t:file read; audit2allow -R require { type ladvd_t; } #============= ladvd_t ============== auth_read_passwd(ladvd_t) Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.5-201.fc18.i686 type: libreport
Looks like ladvd policy needs to be updated.
ladvd-1.0.4-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/ladvd-1.0.4-3.fc18
Package ladvd-1.0.4-3.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ladvd-1.0.4-3.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-12137/ladvd-1.0.4-3.fc18 then log in and leave karma (feedback).
ladvd-1.0.4-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Problem still persists. $ rpm -q ladvd ladvd-1.0.4-3.fc19.x86_64 $ rpm -q ladvd-selinux ladvd-selinux-1.0.4-3.fc19.x86_64 ladvd lacks read and open permissions on /etc/passwd. Adding these in a local SELinux policy uncovers many other AVC denials. Looking in the SRPM at ladvd.te I don't see these listed in the policy.
Let's reopen this. I will investigate.
Could you attach AVC msgs?
It turns out ladvd generates quite a lot access violation, and won't start in enforcing mode. It happens during hist information gathering, but access to ladvd's socket is denied also. Miroslav, could you help in getting ladvd's policy in shape in secure fashion? type=AVC msg=audit(1377088647.155:264243): avc: denied { execute } for pid=17298 comm="ladvd" name="lsb_release" dev="dm-0" ino=527751 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264244): avc: denied { open } for pid=17297 comm="ladvd" path="/etc/resolv.conf" dev="dm-0" ino=141233 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264245): avc: denied { open } for pid=17297 comm="ladvd" path="/etc/hosts" dev="dm-0" ino=141308 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264246): avc: denied { connect } for pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket type=AVC msg=audit(1377088647.156:264247): avc: denied { connect } for pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket type=AVC msg=audit(1377088647.156:264248): avc: denied { connect } for pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket type=AVC msg=audit(1377088647.156:264249): avc: denied { connect } for pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket type=AVC msg=audit(1377088647.156:264250): avc: denied { open } for pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/product_version" dev="sysfs" ino=175 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264251): avc: denied { open } for pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/bios_version" dev="sysfs" ino=171 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264252): avc: denied { open } for pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/product_serial" dev="sysfs" ino=176 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264253): avc: denied { open } for pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/sys_vendor" dev="sysfs" ino=173 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264254): avc: denied { open } for pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/product_name" dev="sysfs" ino=174 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264255): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264255): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264255): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264255): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264255): avc: denied { open } for pid=17297 comm="ladvd" path="/proc/sys/net/ipv4/conf/all/forwarding" dev="proc" ino=69149548 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264256): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264256): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264256): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264256): avc: denied { net_admin } for pid=17297 comm="ladvd" capability=12 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264256): avc: denied { open } for pid=17297 comm="ladvd" path="/proc/sys/net/ipv6/conf/all/forwarding" dev="proc" ino=68510927 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1377088647.156:264257): avc: denied { create } for pid=17299 comm="ladvd" name="ladvd.sock" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1377088647.156:264258): avc: denied { setpcap } for pid=17297 comm="ladvd" capability=8 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability type=AVC msg=audit(1377088647.156:264259): avc: denied { setcap } for pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=process type=AVC msg=audit(1377088647.156:264260): avc: denied { signal } for pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=process
Created attachment 798291 [details] THis patch should fix all of the SELinux issues.
ladvd-1.0.4-4.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/ladvd-1.0.4-4.fc18
Package ladvd-1.0.4-4.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ladvd-1.0.4-4.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17005/ladvd-1.0.4-4.fc18 then log in and leave karma (feedback).
ladvd-1.0.4-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Not all SELinux denies appear to have been found. # yum update # shutdown -r now $ cat /etc/redhat-release Fedora release 19 (Schrödinger’s Cat) $ rpm -q ladvd ladvd-selinux ladvd-1.0.4-4.fc19.x86_64 ladvd-selinux-1.0.4-4.fc19.x86_64 # systemctl start ladvd # tail -f /var/log/messages Oct 9 23:10:46 andromache systemd[1]: Starting uses CDP / LLDP frames to inform switches about connected hosts... Oct 9 23:10:48 andromache systemd[1]: Started uses CDP / LLDP frames to inform switches about connected hosts. Oct 9 23:10:48 andromache ladvd[1695]: ladvd 1.0.4 running Oct 9 23:10:54 andromache ladvd[1695]: new peer neotokyo (CDP) on interface em1 Oct 9 23:10:54 andromache ladvd[1695]: ifdescr ioctl failed on em1 Oct 9 23:10:54 andromache ladvd[1695]: enabling CDP on interface em1 Oct 9 23:10:54 andromache dbus-daemon[301]: dbus[301]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Oct 9 23:10:54 andromache dbus[301]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Oct 9 23:10:57 andromache dbus[301]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Oct 9 23:10:57 andromache dbus-daemon[301]: dbus[301]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Oct 9 23:11:01 andromache ladvd[1695]: new peer adl-off-sw3 (LLDP) on interface em1 Oct 9 23:11:01 andromache ladvd[1695]: ifdescr ioctl failed on em1 Oct 9 23:11:01 andromache ladvd[1695]: enabling LLDP on interface em1 Oct 9 23:11:07 andromache setroubleshoot: SELinux is preventing /usr/sbin/ladvd from write access on the file ifalias. For complete SELinux messages. run sealert -l 1915b2e0-94dd-4e7d-b8c0-d4395447f05c Oct 9 23:11:08 andromache setroubleshoot: SELinux is preventing /usr/sbin/ladvd from write access on the file ifalias. For complete SELinux messages. run sealert -l 1915b2e0-94dd-4e7d-b8c0-d4395447f05c # systemctl stop ladvd # sealert -l 1915b2e0-94dd-4e7d-b8c0-d4395447f05c SELinux is preventing /usr/sbin/ladvd from write access on the file ifalias. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ladvd should be allowed write access on the ifalias file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ladvd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ladvd_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects ifalias [ file ] Source ladvd Source Path /usr/sbin/ladvd Port <Unknown> Host andromache###CENSORED### Source RPM Packages ladvd-1.0.4-4.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.8.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name andromache.adelaide.aarnet.edu.au Platform Linux andromache.adelaide.aarnet.edu.au 3.11.3-201.fc19.x86_64 #1 SMP Thu Oct 3 00:47:03 UTC 2013 x86_64 x86_64 Alert Count 28 First Seen 2013-10-09 23:04:54 CST Last Seen 2013-10-09 23:12:24 CST Local ID 1915b2e0-94dd-4e7d-b8c0-d4395447f05c Raw Audit Messages type=AVC msg=audit(1381322544.475:553): avc: denied { write } for pid=1695 comm="ladvd" name="ifalias" dev="sysfs" ino=14176 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=SYSCALL msg=audit(1381322544.475:553): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff2f8333c0 a1=201 a2=14 a3=3 items=0 ppid=1 pid=1695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:ladvd_t:s0 key=(null) Hash: ladvd,ladvd_t,sysfs_t,file,write
The desire to write to that file appears to be related to the use of the "-z" option with ladvd. $ cat /usr/lib/systemd/system/ladvd.service ... [Service] ExecStart=/usr/sbin/ladvd -f -a -z ... $ man ladvd ... -z Save received peer information in interface descriptions (requires SIOCSIFDESCR support) or Linux ifAliases. ...
It seems to me that "-z" requires a level of trust in the partner interface which should not be assumed by default. That is, a SELinux boolean, defaulting to off, seems necessary. Furthermore "-z" should be removed from the as-shipped start options.
I will try to add boolean, but my selinux-fu isn't the strongest. I will not remove "-z", though. It's an useful default and yours is first objection to it in nearly two years since https://lists.fedoraproject.org/pipermail/devel/2012-January/161543.html
"-z" increases risk. The option allows remote exploitation of flaws in the ifalias or SIOCSIFDESCR mechanism. Such flaws wouldn't otherwise be remotely exploitable, as they would be limited to those already with root access on the local machine. Even without a flaw to exploit the mechanism allows vandalism (eg: the partner interface setting the interface description to rude words). I am arguing that "-z" is useful in networks where the partner interface can be trusted; and arguing that this trust should not be assumed by the as-shipped setting (ie, systems should ship secure by default). "...yours is first objection to it in nearly two years". If I had seen this e-mail two years ago I would have objected then. The statement highlights the necessary paucity of communications in large projects, it not a justification for retaining the option as the shipped default.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Sorry, forgot about this bug. I decided againt creating new sebool and to retain current functionality.