Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161070 - SELinux blocks changing MAC address
Summary: SELinux blocks changing MAC address
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-20 12:31 UTC by Dawid Gajownik
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-05 20:48:12 UTC


Attachments (Terms of Use)

Description Dawid Gajownik 2005-06-20 12:31:54 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050217

Description of problem:
SELinux blocks changing MAC address. I set up new MAC address via MACADDR option in /etc/sysconfig/network-scripts/ifcfg-eth0 and reloaded network service. MAC addres did not changed.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
[root@X ~]# service network restart
Wy³±czanie interfejsu eth0:                                [  OK  ]
Zatrzymywanie interfejsu sieciowego loopback:              [  OK  ]
Podnoszenie interfejsu loopback:                           [  OK  ]
Podnoszenie interfejsu eth0:  socket(PF_PACKET): Permission denied
                                                           [  OK  ]

(which means "Shutting down interface eth0" and "Bringing up interface eth0"; unfortunately, "export LANG=C" does not work, so messages are written with system locale)
[root@X ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:40:F4:31:84:93
          inet addr:192.168.0.8  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8533 (8.3 KiB)  TX bytes:4207 (4.1 KiB)
          Interrupt:11 Base address:0xd000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:301 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10442 (10.1 KiB)  TX bytes:10442 (10.1 KiB)

(MAC address did not changed)
[root@X ~]# grep MAC /etc/sysconfig/network-scripts/ifcfg-eth0
MACADDR=00:40:F4:41:84:94

[root@X ~]# tail /var/log/audit/audit.log
type=USER msg=audit(1119269430.327:250807): user pid=2135 uid=0 auid=4294967295 msg='PAM bad_ident: user=? exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=? result=User not known to the underlying authentication module)'
type=USER msg=audit(1119269435.365:345814): user pid=2169 uid=0 auid=4294967295 msg='PAM authentication: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER msg=audit(1119269435.764:346017): user pid=2169 uid=0 auid=4294967295 msg='PAM accounting: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER msg=audit(1119269436.142:349590): user pid=2169 uid=0 auid=4294967295 msg='PAM session open: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER msg=audit(1119269493.985:667750): user pid=2478 uid=500 auid=4294967295 msg='PAM authentication: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)'
type=USER msg=audit(1119269494.291:668834): user pid=2478 uid=500 auid=4294967295 msg='PAM accounting: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)'
type=USER msg=audit(1119269494.708:673328): user pid=2478 uid=500 auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)'
type=SOCKETCALL msg=audit(1119269526.239:789064): nargs=3 a0=11 a1=2 a2=0
type=SYSCALL msg=audit(1119269526.239:789064): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf90aa50 a2=0 a3=bf90bf30 items=0 pid=2757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip"
type=AVC msg=audit(1119269526.239:789064): avc:  denied  { create } for  pid=2757 comm="ip" scontext=root:system_r:ifconfig_t tcontext=root:system_r:ifconfig_t tclass=packet_socket

(something was blocked)
[root@X ~]# setenforce 0
[root@X ~]# service network restart
Wy³±czanie interfejsu eth0:                                [  OK  ]
Zatrzymywanie interfejsu sieciowego loopback:              [  OK  ]
Podnoszenie interfejsu loopback:                           [  OK  ]
Podnoszenie interfejsu eth0:                               [  OK  ]
[root@X ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:40:F4:41:84:94
          inet addr:192.168.0.8  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:65 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9434 (9.2 KiB)  TX bytes:5239 (5.1 KiB)
          Interrupt:11 Base address:0xd000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:558 errors:0 dropped:0 overruns:0 frame:0
          TX packets:558 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:17654 (17.2 KiB)  TX bytes:17654 (17.2 KiB)

[root@X ~]#

In permissive mode MAC addres was changed.

Additional info:

What is funny, "ifdown eth0 && ifup eth0" works without a glitch in enforcing mode. It does not resolve the problem, because I have to trigger that command after each reboot :/

Comment 1 Daniel Walsh 2005-07-20 14:23:52 UTC
selinux-policy-targeted-1.25.2-1

Comment 2 Dawid Gajownik 2005-07-20 20:26:29 UTC
Should I downgrade to this version? I have selinux-policy-targeted-1.25.2-4
installed on my FC4 box and the problem is still visible.

Comment 3 Daniel Walsh 2005-07-21 00:07:49 UTC
What avc messages are you seeing now?

Comment 4 Dawid Gajownik 2005-07-21 08:26:17 UTC
type=AVC msg=audit(1121934344.535:11565021): avc:  denied  { net_raw } for 
pid=3604 comm="ip" capability=13 scontext=root:system_r:ifconfig_t
tcontext=root:system_r:ifconfig_t tclass=capability
type=SYSCALL msg=audit(1121934344.535:11565021): arch=40000003 syscall=102
success=no exit=-1 a0=1 a1=bfa77a90 a2=0 a3=bfa77f30 items=0 pid=3604
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="ip" exe="/sbin/ip"
type=SOCKETCALL msg=audit(1121934344.535:11565021): nargs=3 a0=11 a1=2 a2=0


Comment 5 Daniel Walsh 2005-07-28 16:45:02 UTC
Fixed in selinux-policy-targetd-1.25.3-9

Comment 6 Dawid Gajownik 2005-08-05 20:48:12 UTC
I can confirm that :D

(Sorry that it took me so long but I was away on my holiday.)


Note You need to log in before you can comment on or make changes to this bug.