Bug 985526 - ip link show hangs when rtnl_send fails
Summary: ip link show hangs when rtnl_send fails
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: iproute
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Petr Šabata
QA Contact: David Spurek
URL: https://bugzilla.redhat.com/show_bug....
Depends On:
TreeView+ depends on / blocked
Reported: 2013-07-17 16:49 UTC by Andy Grimm
Modified: 2016-11-08 03:47 UTC (History)
8 users (show)

Fixed In Version: iproute-2.6.32-24.el6
Doc Type: Bug Fix
Doc Text:
Cause: The ip utility was mishandling netlink communication, which could cause hangs under certain cirtumstances. Consequence: Listing network devices with 'ip link show' hangs in a SELinux restricted mode. Fix: The ip utility now checks for the result of rtnl_send() before waiting for a reply, avoiding an indefinite hang. Result: It is now possible to list network devices in a SELinux restricted environment.
Clone Of:
: 996537 1040454 (view as bug list)
Last Closed: 2013-11-21 23:07:03 UTC

Attachments (Terms of Use)
patch from andy to fix the issue (463 bytes, patch)
2013-08-06 20:23 UTC, Michael S.
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1697 normal SHIPPED_LIVE iproute bug fix and enhancement update 2013-11-21 00:39:29 UTC

Description Andy Grimm 2013-07-17 16:49:20 UTC
Description of problem:

Inside an OpenShift gears, there are various restrictions on a user's access to network interfaces, addresses and ports.  One of these restrictions causes "ip link show" to hang.

Version-Release number of selected component (if applicable):


How reproducible:

Always (in OpenShift)

Steps to Reproduce:
1. Create an OpenShift app
2. rhc ssh <appname>
3. run "ip link show lo"

Actual results:

The command hangs until you kill it.

Expected results:

It should not hang

Additional info:

I did an strace and found this happening:

bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=32592, groups=00000000}, [12]) = 0
gettimeofday({1374074067, 433784}, NULL) = 0
sendto(3, " \0\0\0\20\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32, 0, NULL, 0) = -1 EACCES (Permission denied)
recvmsg(3, ^C <unfinished ...>

so I did a debug build inside my openshift gear, and tracked it down to this bit of code in iplink.c at line 160:

rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len);
rtnl_listen(&rth, accept_msg, NULL);

If I change this to:

if (rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len) == 0)
    rtnl_listen(&rth, accept_msg, NULL);

then the issue is resolved.

Comment 2 Petr Šabata 2013-07-18 09:47:46 UTC
Yes, that seems reasonable.

Comment 3 Michael S. 2013-08-06 07:38:24 UTC
This bug also happen on F19, when running selinux with a confined user. So this blocked facter and ansible on my work station. 

The exact AVC :
type=AVC msg=audit(1375773208.329:1511): avc:  denied  { nlmsg_write } for  pid=4256 comm="ip" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=netlink_route_socket

Should the bug be cloned for F19 ?

Comment 4 Michael S. 2013-08-06 18:18:36 UTC
To reproduce ( on F19, but should work equally on RHEL 6 ), add your current user ( or create a new one ) in a confined domain (make sure that you have a root shell opened somewhere or you know how to disable selinux in case you lock yourself out ) : 

$ sudo semanage login -a -s staff_u -r 's0-s0:c0.c1023' $(id -un)

logout ( or login in another tty )

check that you are running a restricted user id:
$ id -Z

check that you are running in enforcing mode:
$ getenforce

$ ip link show em1

and wait

I am building a updated package with the proper patch to see if the issue is fixed.

Comment 5 Michael S. 2013-08-06 20:23:09 UTC
And i can say the following patch work

Comment 6 Michael S. 2013-08-06 20:23:52 UTC
Created attachment 783495 [details]
patch from andy to fix the issue

Comment 7 Petr Šabata 2013-08-13 11:36:00 UTC
Thanks, Michael!

True, this should be cloned for F19 as well.  I'll do that.

Comment 9 Petr Šabata 2013-08-13 16:17:40 UTC
Pushed as iproute-2.6.32-24.el6.

Comment 11 Andy Grimm 2013-08-14 16:35:05 UTC
I have confirmed that the new build resolves my issue in OpenShift.

Comment 12 Petr Šabata 2013-08-16 13:07:41 UTC
Thank you, Andy.

Comment 15 errata-xmlrpc 2013-11-21 23:07:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 16 Andrew Vagin 2013-12-10 11:28:44 UTC
int rtnl_send(struct rtnl_handle *rth, const char *buf, int len)
        return send(rth->fd, buf, len, 0);

"send"  returns  the  number of characters sent.

Are you sure that this patch is correct?

It doesn't work for me.
-bash-4.1# ip link set up dev venet0
RTNETLINK answers: Operation not supported

Note You need to log in before you can comment on or make changes to this bug.