Bug 985526 - ip link show hangs when rtnl_send fails
ip link show hangs when rtnl_send fails
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: iproute (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Petr Šabata
David Spurek
: Patch
Depends On:
  Show dependency treegraph
Reported: 2013-07-17 12:49 EDT by Andy Grimm
Modified: 2016-11-07 22:47 EST (History)
8 users (show)

See Also:
Fixed In Version: iproute-2.6.32-24.el6
Doc Type: Bug Fix
Doc Text:
Cause: The ip utility was mishandling netlink communication, which could cause hangs under certain cirtumstances. Consequence: Listing network devices with 'ip link show' hangs in a SELinux restricted mode. Fix: The ip utility now checks for the result of rtnl_send() before waiting for a reply, avoiding an indefinite hang. Result: It is now possible to list network devices in a SELinux restricted environment.
Story Points: ---
Clone Of:
: 996537 1040454 (view as bug list)
Last Closed: 2013-11-21 18:07:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch from andy to fix the issue (463 bytes, patch)
2013-08-06 16:23 EDT, Michael Scherer
no flags Details | Diff

  None (edit)
Description Andy Grimm 2013-07-17 12:49:20 EDT
Description of problem:

Inside an OpenShift gears, there are various restrictions on a user's access to network interfaces, addresses and ports.  One of these restrictions causes "ip link show" to hang.

Version-Release number of selected component (if applicable):


How reproducible:

Always (in OpenShift)

Steps to Reproduce:
1. Create an OpenShift app
2. rhc ssh <appname>
3. run "ip link show lo"

Actual results:

The command hangs until you kill it.

Expected results:

It should not hang

Additional info:

I did an strace and found this happening:

bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=32592, groups=00000000}, [12]) = 0
gettimeofday({1374074067, 433784}, NULL) = 0
sendto(3, " \0\0\0\20\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 32, 0, NULL, 0) = -1 EACCES (Permission denied)
recvmsg(3, ^C <unfinished ...>

so I did a debug build inside my openshift gear, and tracked it down to this bit of code in iplink.c at line 160:

rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len);
rtnl_listen(&rth, accept_msg, NULL);

If I change this to:

if (rtnl_send(&rth, (char *)&req.n, req.n.nlmsg_len) == 0)
    rtnl_listen(&rth, accept_msg, NULL);

then the issue is resolved.
Comment 2 Petr Šabata 2013-07-18 05:47:46 EDT
Yes, that seems reasonable.
Comment 3 Michael Scherer 2013-08-06 03:38:24 EDT
This bug also happen on F19, when running selinux with a confined user. So this blocked facter and ansible on my work station. 

The exact AVC :
type=AVC msg=audit(1375773208.329:1511): avc:  denied  { nlmsg_write } for  pid=4256 comm="ip" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=netlink_route_socket

Should the bug be cloned for F19 ?
Comment 4 Michael Scherer 2013-08-06 14:18:36 EDT
To reproduce ( on F19, but should work equally on RHEL 6 ), add your current user ( or create a new one ) in a confined domain (make sure that you have a root shell opened somewhere or you know how to disable selinux in case you lock yourself out ) : 

$ sudo semanage login -a -s staff_u -r 's0-s0:c0.c1023' $(id -un)

logout ( or login in another tty )

check that you are running a restricted user id:
$ id -Z

check that you are running in enforcing mode:
$ getenforce

$ ip link show em1

and wait

I am building a updated package with the proper patch to see if the issue is fixed.
Comment 5 Michael Scherer 2013-08-06 16:23:09 EDT
And i can say the following patch work
Comment 6 Michael Scherer 2013-08-06 16:23:52 EDT
Created attachment 783495 [details]
patch from andy to fix the issue
Comment 7 Petr Šabata 2013-08-13 07:36:00 EDT
Thanks, Michael!

True, this should be cloned for F19 as well.  I'll do that.
Comment 9 Petr Šabata 2013-08-13 12:17:40 EDT
Pushed as iproute-2.6.32-24.el6.
Comment 11 Andy Grimm 2013-08-14 12:35:05 EDT
I have confirmed that the new build resolves my issue in OpenShift.
Comment 12 Petr Šabata 2013-08-16 09:07:41 EDT
Thank you, Andy.
Comment 15 errata-xmlrpc 2013-11-21 18:07:03 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Comment 16 Andrew Vagin 2013-12-10 06:28:44 EST
int rtnl_send(struct rtnl_handle *rth, const char *buf, int len)
        return send(rth->fd, buf, len, 0);

"send"  returns  the  number of characters sent.

Are you sure that this patch is correct?

It doesn't work for me.
-bash-4.1# ip link set up dev venet0
RTNETLINK answers: Operation not supported

Note You need to log in before you can comment on or make changes to this bug.