RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 985526 - ip link show hangs when rtnl_send fails
Summary: ip link show hangs when rtnl_send fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: iproute
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Šabata
QA Contact: David Spurek
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-17 16:49 UTC by Andy Grimm
Modified: 2016-11-08 03:47 UTC (History)
8 users (show)

Fixed In Version: iproute-2.6.32-24.el6
Doc Type: Bug Fix
Doc Text:
Cause: The ip utility was mishandling netlink communication, which could cause hangs under certain cirtumstances. Consequence: Listing network devices with 'ip link show' hangs in a SELinux restricted mode. Fix: The ip utility now checks for the result of rtnl_send() before waiting for a reply, avoiding an indefinite hang. Result: It is now possible to list network devices in a SELinux restricted environment.
Clone Of:
: 996537 1040454 (view as bug list)
Environment:
Last Closed: 2013-11-21 23:07:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
patch from andy to fix the issue (463 bytes, patch)
2013-08-06 20:23 UTC, Michael S.
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1697 0 normal SHIPPED_LIVE iproute bug fix and enhancement update 2013-11-21 00:39:29 UTC

Description Andy Grimm 2013-07-17 16:49:20 UTC
Description of problem:

Inside an OpenShift gears, there are various restrictions on a user's access to network interfaces, addresses and ports.  One of these restrictions causes "ip link show" to hang.

Version-Release number of selected component (if applicable):

iproute-2.6.32-23.el6.x86_64

How reproducible:

Always (in OpenShift)

Steps to Reproduce:
1. Create an OpenShift app
2. rhc ssh <appname>
3. run "ip link show lo"

Actual results:

The command hangs until you kill it.

Expected results:

It should not hang

Additional info:

I did an strace and found this happening:

bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=32592, groups=00000000}, [12]) = 0
gettimeofday({1374074067, 433784}, NULL) = 0
sendto(3, " \0\0\0\20\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32, 0, NULL, 0) = -1 EACCES (Permission denied)
recvmsg(3, ^C <unfinished ...>

so I did a debug build inside my openshift gear, and tracked it down to this bit of code in iplink.c at line 160:

rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len);
rtnl_listen(&rth, accept_msg, NULL);

If I change this to:

if (rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len) == 0)
    rtnl_listen(&rth, accept_msg, NULL);

then the issue is resolved.

Comment 2 Petr Šabata 2013-07-18 09:47:46 UTC
Yes, that seems reasonable.

Comment 3 Michael S. 2013-08-06 07:38:24 UTC
This bug also happen on F19, when running selinux with a confined user. So this blocked facter and ansible on my work station. 

The exact AVC :
type=AVC msg=audit(1375773208.329:1511): avc:  denied  { nlmsg_write } for  pid=4256 comm="ip" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=netlink_route_socket

Should the bug be cloned for F19 ?

Comment 4 Michael S. 2013-08-06 18:18:36 UTC
To reproduce ( on F19, but should work equally on RHEL 6 ), add your current user ( or create a new one ) in a confined domain (make sure that you have a root shell opened somewhere or you know how to disable selinux in case you lock yourself out ) : 

$ sudo semanage login -a -s staff_u -r 's0-s0:c0.c1023' $(id -un)

logout ( or login in another tty )

check that you are running a restricted user id:
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c102c

check that you are running in enforcing mode:
$ getenforce
Enforcing

run:
$ ip link show em1

and wait

I am building a updated package with the proper patch to see if the issue is fixed.

Comment 5 Michael S. 2013-08-06 20:23:09 UTC
And i can say the following patch work

Comment 6 Michael S. 2013-08-06 20:23:52 UTC
Created attachment 783495 [details]
patch from andy to fix the issue

Comment 7 Petr Šabata 2013-08-13 11:36:00 UTC
Thanks, Michael!

True, this should be cloned for F19 as well.  I'll do that.

Comment 9 Petr Šabata 2013-08-13 16:17:40 UTC
Pushed as iproute-2.6.32-24.el6.

Comment 11 Andy Grimm 2013-08-14 16:35:05 UTC
I have confirmed that the new build resolves my issue in OpenShift.

Comment 12 Petr Šabata 2013-08-16 13:07:41 UTC
Thank you, Andy.

Comment 15 errata-xmlrpc 2013-11-21 23:07:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1697.html

Comment 16 Andrew Vagin 2013-12-10 11:28:44 UTC
int rtnl_send(struct rtnl_handle *rth, const char *buf, int len)
{               
        return send(rth->fd, buf, len, 0);
} 

"send"  returns  the  number of characters sent.

Are you sure that this patch is correct?

It doesn't work for me.
-bash-4.1# ip link set up dev venet0
RTNETLINK answers: Operation not supported


Note You need to log in before you can comment on or make changes to this bug.