Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163569 - ping blocked by selinux
Summary: ping blocked by selinux
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-18 23:36 UTC by Gabriel Schulhof
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.25.3-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-19 07:47:43 UTC


Attachments (Terms of Use)

Description Gabriel Schulhof 2005-07-18 23:36:30 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
Ping doesn't output anything to the terminal (for either root or a regular user) because of this:
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=AVC msg=audit(1121729279.793:14880232): avc:  denied  { read write } for  pid=23335 comm="ping" name="3" dev=devpts ino=5 scontext=system_u:system_r:ping_t tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
type=SYSCALL msg=audit(1121729279.793:14880232): arch=40000003 syscall=11 success=yes exit=0 a0=817def0 a1=818f828 a2=81749a8 a3=1 items=2 pid=23335 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=AVC_PATH msg=audit(1121729279.793:14880232):  path="/dev/pts/3"
type=CWD msg=audit(1121729279.793:14880232):  cwd="/root"
type=PATH msg=audit(1121729279.793:14880232): item=0 name="/bin/ping" flags=101  inode=2779845 dev=03:01 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121729279.793:14880232): item=1 flags=101  inode=3337422 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00

Ping works fine when I run it from ttyS0 (serial nullmodem cable).

When I attempted to update selinux-policy-targeted, I got the following messages interspersed with the yum update output:

sepol_genbools_array:  unknown boolean user_ping
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument
# ls -lZ /bin/ping
-rwsr-xr-x  root     root     system_u:object_r:ping_exec_t    /bin/ping

ping works fine on all my other FC4 machines. 

Version-Release number of selected component (if applicable):
iputils-20020927-22

How reproducible:
Always

Steps to Reproduce:
1. Don't know, really ...
2. Log into the problematic machine via ssh.
2. Ping a host from the local subnet.
3. Watch it seemingly hang.
  

Actual Results:  ping didn't output anything, but audit.log had "denied" messages.

Expected Results:  Ping should work properly from both serial ttys as well as pseudo-ttys.

Additional info:

selinux-policy-targeted-1.25.2-4

Comment 1 Daniel Walsh 2005-07-20 03:33:26 UTC
Fixed in selinux-policy-targeted-1.25.3-1


Note You need to log in before you can comment on or make changes to this bug.