975959 – SELinux is preventing /usr/sbin/ladvd from 'read' accesses on the file /etc/passwd.

Bug 975959 - SELinux is preventing /usr/sbin/ladvd from 'read' accesses on the file /etc/passwd.

Summary: SELinux is preventing /usr/sbin/ladvd from 'read' accesses on the file /etc/p...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ladvd
Sub Component:
Version:	18
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Andreas Thienemann
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:6c712bfd7707a83375d4343e530...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-19 16:48 UTC by vikram goyal
Modified:	2013-12-21 16:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ladvd-1.0.4-4.fc18
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-12-21 16:30:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
THis patch should fix all of the SELinux issues. (5.33 KB, patch) 2013-09-16 14:03 UTC, Daniel Walsh	no flags	Details \| Diff
View All

Description vikram goyal 2013-06-19 16:48:30 UTC

Description of problem:
I don't have any inputs as I have not been using it explicetly. My setup is a simple single computer
with DSL.
SELinux is preventing /usr/sbin/ladvd from 'read' accesses on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ladvd should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ladvd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ladvd_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        ladvd
Source Path                   /usr/sbin/ladvd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ladvd-1.0.4-2.fc18.i686
Target RPM Packages           setup-2.8.57-1.fc18.noarch
Policy RPM                    selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.5-201.fc18.i686 #1 SMP Tue Jun
                              11 20:33:48 UTC 2013 i686 i686
Alert Count                   16
First Seen                    2013-05-19 17:21:10 IST
Last Seen                     2013-06-20 01:04:40 IST
Local ID                      a00ecba3-7fb6-4ac1-9928-ef6d1cfe04fe

Raw Audit Messages
type=AVC msg=audit(1371670480.996:25): avc:  denied  { read } for  pid=687 comm="ladvd" name="passwd" dev="sda3" ino=2091098 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1371670480.996:25): arch=i386 syscall=open success=no exit=EACCES a0=b7453ef5 a1=80000 a2=1b6 a3=b96ace40 items=0 ppid=1 pid=687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:ladvd_t:s0 key=(null)

Hash: ladvd,ladvd_t,passwd_file_t,file,read

audit2allow

#============= ladvd_t ==============
allow ladvd_t passwd_file_t:file read;

audit2allow -R
require {
	type ladvd_t;
}

#============= ladvd_t ==============
auth_read_passwd(ladvd_t)


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-201.fc18.i686
type:           libreport

Comment 1 Daniel Walsh 2013-06-19 19:33:56 UTC

Looks like ladvd policy needs to be updated.

Comment 2 Fedora Update System 2013-07-01 12:03:18 UTC

ladvd-1.0.4-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ladvd-1.0.4-3.fc18

Comment 3 Fedora Update System 2013-07-02 00:35:26 UTC

Package ladvd-1.0.4-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ladvd-1.0.4-3.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12137/ladvd-1.0.4-3.fc18
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2013-07-11 02:27:55 UTC

ladvd-1.0.4-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Glen Turner 2013-07-27 01:11:54 UTC

Problem still persists.

$ rpm -q ladvd
ladvd-1.0.4-3.fc19.x86_64
$ rpm -q ladvd-selinux
ladvd-selinux-1.0.4-3.fc19.x86_64

ladvd lacks read and open permissions on /etc/passwd.

Adding these in a local SELinux policy uncovers many other AVC denials. Looking in the SRPM at ladvd.te I don't see these listed in the policy.

Comment 6 Tomasz Torcz 2013-07-27 18:45:39 UTC

Let's reopen this. I will investigate.

Comment 7 Miroslav Grepl 2013-07-29 09:01:28 UTC

Could you attach AVC msgs?

Comment 8 Tomasz Torcz 2013-08-21 12:42:36 UTC

It turns out ladvd generates quite a lot access violation, and won't start in enforcing mode. It happens during hist information gathering, but access to ladvd's socket is denied also.

Miroslav, could you help in getting ladvd's policy in shape in secure fashion?

type=AVC msg=audit(1377088647.155:264243): avc:  denied  { execute } for  pid=17298 comm="ladvd" name="lsb_release" dev="dm-0" ino=527751 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264244): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/etc/resolv.conf" dev="dm-0" ino=141233 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264245): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/etc/hosts" dev="dm-0" ino=141308 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264246): avc:  denied  { connect } for  pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket
type=AVC msg=audit(1377088647.156:264247): avc:  denied  { connect } for  pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket
type=AVC msg=audit(1377088647.156:264248): avc:  denied  { connect } for  pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket
type=AVC msg=audit(1377088647.156:264249): avc:  denied  { connect } for  pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=udp_socket
type=AVC msg=audit(1377088647.156:264250): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/product_version" dev="sysfs" ino=175 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264251): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/bios_version" dev="sysfs" ino=171 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264252): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/product_serial" dev="sysfs" ino=176 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264253): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/sys_vendor" dev="sysfs" ino=173 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264254): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/sys/devices/virtual/dmi/id/product_name" dev="sysfs" ino=174 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264255): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264255): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264255): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264255): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264255): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/proc/sys/net/ipv4/conf/all/forwarding" dev="proc" ino=69149548 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264256): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264256): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264256): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264256): avc:  denied  { net_admin } for  pid=17297 comm="ladvd" capability=12  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264256): avc:  denied  { open } for  pid=17297 comm="ladvd" path="/proc/sys/net/ipv6/conf/all/forwarding" dev="proc" ino=68510927 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1377088647.156:264257): avc:  denied  { create } for  pid=17299 comm="ladvd" name="ladvd.sock" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1377088647.156:264258): avc:  denied  { setpcap } for  pid=17297 comm="ladvd" capability=8  scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=capability
type=AVC msg=audit(1377088647.156:264259): avc:  denied  { setcap } for  pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=process
type=AVC msg=audit(1377088647.156:264260): avc:  denied  { signal } for  pid=17297 comm="ladvd" scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:system_r:ladvd_t:s0 tclass=process

Comment 9 Daniel Walsh 2013-09-16 14:03:00 UTC

Created attachment 798291 [details]
THis patch should fix all of the SELinux issues.

Comment 10 Fedora Update System 2013-09-17 09:04:04 UTC

ladvd-1.0.4-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ladvd-1.0.4-4.fc18

Comment 11 Fedora Update System 2013-09-18 13:01:18 UTC

Package ladvd-1.0.4-4.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ladvd-1.0.4-4.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17005/ladvd-1.0.4-4.fc18
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2013-10-01 02:04:43 UTC

ladvd-1.0.4-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Glen Turner 2013-10-09 12:46:37 UTC

Not all SELinux denies appear to have been found.

# yum update
# shutdown -r now
$ cat /etc/redhat-release 
Fedora release 19 (Schrödinger’s Cat)

$ rpm -q ladvd ladvd-selinux
ladvd-1.0.4-4.fc19.x86_64
ladvd-selinux-1.0.4-4.fc19.x86_64

# systemctl start ladvd

# tail -f /var/log/messages
Oct  9 23:10:46 andromache systemd[1]: Starting uses CDP / LLDP frames to inform switches about connected hosts...
Oct  9 23:10:48 andromache systemd[1]: Started uses CDP / LLDP frames to inform switches about connected hosts.
Oct  9 23:10:48 andromache ladvd[1695]: ladvd 1.0.4 running
Oct  9 23:10:54 andromache ladvd[1695]: new peer neotokyo (CDP) on interface em1
Oct  9 23:10:54 andromache ladvd[1695]: ifdescr ioctl failed on em1
Oct  9 23:10:54 andromache ladvd[1695]: enabling CDP on interface em1
Oct  9 23:10:54 andromache dbus-daemon[301]: dbus[301]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Oct  9 23:10:54 andromache dbus[301]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Oct  9 23:10:57 andromache dbus[301]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct  9 23:10:57 andromache dbus-daemon[301]: dbus[301]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct  9 23:11:01 andromache ladvd[1695]: new peer adl-off-sw3 (LLDP) on interface em1
Oct  9 23:11:01 andromache ladvd[1695]: ifdescr ioctl failed on em1
Oct  9 23:11:01 andromache ladvd[1695]: enabling LLDP on interface em1
Oct  9 23:11:07 andromache setroubleshoot: SELinux is preventing /usr/sbin/ladvd from write access on the file ifalias. For complete SELinux messages. run sealert -l 1915b2e0-94dd-4e7d-b8c0-d4395447f05c
Oct  9 23:11:08 andromache setroubleshoot: SELinux is preventing /usr/sbin/ladvd from write access on the file ifalias. For complete SELinux messages. run sealert -l 1915b2e0-94dd-4e7d-b8c0-d4395447f05c

# systemctl stop ladvd

# sealert -l 1915b2e0-94dd-4e7d-b8c0-d4395447f05c
SELinux is preventing /usr/sbin/ladvd from write access on the file ifalias.
*****  Plugin catchall (100. confidence) suggests  ***************************
If you believe that ladvd should be allowed write access on the ifalias file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ladvd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context                system_u:system_r:ladvd_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                ifalias [ file ]
Source                        ladvd
Source Path                   /usr/sbin/ladvd
Port                          <Unknown>
Host                          andromache###CENSORED###
Source RPM Packages           ladvd-1.0.4-4.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.8.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     andromache.adelaide.aarnet.edu.au
Platform                      Linux andromache.adelaide.aarnet.edu.au
                              3.11.3-201.fc19.x86_64 #1 SMP Thu Oct 3 00:47:03
                              UTC 2013 x86_64 x86_64
Alert Count                   28
First Seen                    2013-10-09 23:04:54 CST
Last Seen                     2013-10-09 23:12:24 CST
Local ID                      1915b2e0-94dd-4e7d-b8c0-d4395447f05c
Raw Audit Messages
type=AVC msg=audit(1381322544.475:553): avc:  denied  { write } for  pid=1695 comm="ladvd" name="ifalias" dev="sysfs" ino=14176 scontext=system_u:system_r:ladvd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1381322544.475:553): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff2f8333c0 a1=201 a2=14 a3=3 items=0 ppid=1 pid=1695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ladvd exe=/usr/sbin/ladvd subj=system_u:system_r:ladvd_t:s0 key=(null)
Hash: ladvd,ladvd_t,sysfs_t,file,write

Comment 14 Glen Turner 2013-10-09 12:51:32 UTC

The desire to write to that file appears to be related to the use of the "-z" option with ladvd.

$ cat /usr/lib/systemd/system/ladvd.service
...
[Service]
ExecStart=/usr/sbin/ladvd -f -a -z
...

$ man ladvd
...
   -z   Save  received  peer  information  in   interface   descriptions
        (requires  SIOCSIFDESCR  support)  or Linux ifAliases.
...

Comment 15 Glen Turner 2013-10-09 12:56:01 UTC

It seems to me that "-z" requires a level of trust in the partner interface which should not be assumed by default.

That is, a SELinux boolean, defaulting to off, seems necessary.

Furthermore "-z" should be removed from the as-shipped start options.

Comment 16 Tomasz Torcz 2013-10-09 13:00:17 UTC

I will try to add boolean, but my selinux-fu isn't the strongest.

I will not remove "-z", though. It's an useful default and yours is first objection to it in nearly two years since https://lists.fedoraproject.org/pipermail/devel/2012-January/161543.html

Comment 17 Glen Turner 2013-10-09 13:30:25 UTC

"-z" increases risk. The option allows remote exploitation of flaws in the ifalias or SIOCSIFDESCR mechanism. Such flaws wouldn't otherwise be remotely exploitable, as they would be limited to those already with root access on the local machine.

Even without a flaw to exploit the mechanism allows vandalism (eg: the partner interface setting the interface description to rude words).

I am arguing that "-z" is useful in networks where the partner interface can be trusted; and arguing that this trust should not be assumed by the as-shipped setting (ie, systems should ship secure by default).

"...yours is first objection to it in nearly two years". If I had seen this e-mail two years ago I would have objected then. The statement highlights the necessary paucity of communications in large projects, it not a justification for retaining the option as the shipped default.

Comment 18 Fedora End Of Life 2013-12-21 15:33:51 UTC

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 19 Tomasz Torcz 2013-12-21 16:30:42 UTC

Sorry, forgot about this bug. I decided againt creating new sebool and to retain current functionality.

Note You need to log in before you can comment on or make changes to this bug.