Bug 996670 - network service cannot create tap devices during boot
network service cannot create tap devices during boot
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-13 12:21 EDT by Lars Kellogg-Stedman
Modified: 2013-08-21 20:55 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-21 20:55:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lars Kellogg-Stedman 2013-08-13 12:21:52 EDT
Description of problem:

I would like to provision a tap device at boot.  I have configured /etc/sysconfig/network-scripts/ifcfg-tap0 like this:

DEVICE="tap0"
TYPE=Tap
BRIDGE=br0
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
OWNER=openvpn

With selinux in enforcing mode this does not come at boot, and the following AVC is logged:

type=AVC msg=audit(1376408921.417:1199): avc:  denied  { relabelfrom } for  pid=1912 comm="ip" scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=tun_socket
type=AVC msg=audit(1376408963.758:9): avc:  denied  { create } for  pid=368 comm="ip" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket
type=AVC msg=audit(1376409394.827:7): avc:  denied  { create } for  pid=367 comm="ip" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket
type=AVC msg=audit(1376409530.983:605): avc:  denied  { relabelfrom } for  pid=1421 comm="ip" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket
type=AVC msg=audit(1376409530.983:605): avc:  denied  { relabelto } for  pid=1421 comm="ip" scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=tun_socket


Version-Release number of selected component (if applicable):

Fedora 19, selinux-policy-targeted-3.12.1-69.fc19.noarch

I've corrected this locally by loading in the following selinux policy module, generated with audit2allow:

module tuntap 1.0;

require {
	type ifconfig_t;
	type unconfined_t;
	class tun_socket { relabelfrom relabelto create };
}

#============= ifconfig_t ==============
allow ifconfig_t self:tun_socket { relabelfrom relabelto create };
allow ifconfig_t unconfined_t:tun_socket relabelfrom;

But it seems as if this should work out of the box.
Comment 1 Daniel Walsh 2013-08-13 18:26:21 EDT
At boot where does the unconfined_t come from?
Comment 2 Daniel Walsh 2013-08-13 18:28:19 EDT
b0a11fb4f15e9c11774e4a205331bd5f37dad75d allows ifconfig_t to manage and relabel sockets in git.
Comment 3 Lars Kellogg-Stedman 2013-08-13 19:11:43 EDT
Dan:

I'm not sure where the unconfined_t comes from. I guess that's part of the question.  How would I figure this out? I'm assuming that it's something ultimately descended from /etc/init.d/network via network.service.

What repository is that commit from?  I assumed git://pkgs.fedoraproject.org/selinux-policy.git but the object doesn't exist there.
Comment 4 Daniel Walsh 2013-08-14 08:19:02 EDT
I would figure at some time you ran some scripts that did not transition, or this could have happened from an install or something.


I pushed it to 

ssh://git.fedorahosted.org/git/selinux-policy.git

Do you get the unconfined_t on every boot?
Comment 5 Lars Kellogg-Stedman 2013-08-14 10:11:30 EDT
You're right; the unconfined_t looks anomalous.  I only get the the AVC for ifconfig_t on every boot.  I'll try out the updated policy this afternoon.
Comment 6 Daniel Walsh 2013-08-14 11:04:34 EDT
Miroslav will probably push early next week.
Comment 7 Fedora Update System 2013-08-20 04:28:36 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 8 Fedora Update System 2013-08-20 20:17:26 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-08-21 20:55:18 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.