Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235182 - selinux denial messages when rmmoding network interface
Summary: selinux denial messages when rmmoding network interface
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-04 11:46 UTC by Roy-Magne Mo
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: 2.5.12-3.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-04 16:28:34 UTC


Attachments (Terms of Use)

Description Roy-Magne Mo 2007-04-04 11:46:44 UTC
Description of problem:
selinux denial messages when running ifdown

Version-Release number of selected component (if applicable):
# rpm -qa \*policy\* initscripts selinux\*
policycoreutils-2.0.7-8.fc7
initscripts-8.51-1
selinux-policy-2.5.11-1.fc7
selinux-policy-targeted-2.5.11-1.fc7


How reproducible:
always

Steps to Reproduce:
1. rmmod iwlwifi
2.
3.
  
Actual results:
selinux denials

Expected results:


Additional info:
avc: denied { getattr } for comm="ifdown-eth" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.pid"
path="/var/run/dhclient-eth1.pid" pid=5158
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:dhcpc_var_run_t:s0 tty=(none) uid=0 


avc: denied { search } for comm="ifdown-ipv6" dev=proc egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=5207
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-04-10 18:15:45 UTC
This is very strange.  This looks like you have some program running as udev
that should not be?


Harald does this make sense to you?  Would udev ever run ifdown-eth?


Comment 2 Bill Nottingham 2007-04-10 20:00:00 UTC
Yes,it does on interface removal.

Comment 3 Daniel Walsh 2007-04-10 20:08:49 UTC
Roy-Magne could you run this in permissive mode and collect all of the avc messages?


Comment 4 Roy-Magne Mo 2007-04-13 15:55:42 UTC
# rpm -qa \*policy\* initscripts selinux\*
selinux-policy-targeted-2.5.12-2.fc7
policycoreutils-2.0.9-1.fc7
selinux-policy-2.5.12-2.fc7
initscripts-8.51-1


quite a lot, collected from audit.log:

type=AVC msg=audit(1176479586.254:127): avc:  denied  { search } for  pid=4713
comm="ifdown-ipv6" name="net" dev=proc ino=-268435430
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
type=AVC msg=audit(1176479586.254:127): avc:  denied  { getattr } for  pid=4713
comm="ifdown-ipv6" name="if_inet6" dev=proc ino=-268435115
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:127): arch=40000003 syscall=195
success=yes exit=0 a0=874b228 a1=bfe31738 a2=44b86ff4 a3=874b228 items=0
ppid=4660 pid=4713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ifdown-ipv6" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1176479586.254:127):  path="/proc/net/if_inet6"
type=AVC msg=audit(1176479586.254:128): avc:  denied  { search } for  pid=4713
comm="ifdown-ipv6" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1176479586.254:128): arch=40000003 syscall=195
success=yes exit=0 a0=872c7c8 a1=bfe31958 a2=44b86ff4 a3=872c7c8 items=0
ppid=4660 pid=4713 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ifdown-ipv6" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1176479586.254:129): avc:  denied  { getattr } for  pid=4660
comm="ifdown-eth" name="dhclient-eth1.pid" dev=dm-0 ino=1177838
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=user_u:object_r:dhcpc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:129): arch=40000003 syscall=195
success=yes exit=0 a0=9d9b808 a1=bf9fdf38 a2=44b86ff4 a3=9d9b808 items=0
ppid=4659 pid=4660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ifdown-eth" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1176479586.254:129):  path="/var/run/dhclient-eth1.pid"
type=AVC msg=audit(1176479586.254:130): avc:  denied  { read } for  pid=4730
comm="cat" name="dhclient-eth1.pid" dev=dm-0 ino=1177838
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=user_u:object_r:dhcpc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:130): arch=40000003 syscall=5 success=yes
exit=3 a0=bfb70e74 a1=8000 a2=0 a3=8000 items=0 ppid=4660 pid=4730
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="cat" exe="/bin/cat"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1176479586.254:131): avc:  denied  { unlink } for  pid=4761
comm="rm" name="dhclient-eth1.pid" dev=dm-0 ino=1177838
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=user_u:object_r:dhcpc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1176479586.254:131): arch=40000003 syscall=301
success=yes exit=0 a0=ffffff9c a1=bf9efe76 a2=0 a3=bf9efe76 items=0 ppid=4660
pid=4761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="rm" exe="/bin/rm" subj=system_u:system_r:udev_t:s0-s0:c0.c1023
key=(null)


Comment 5 Daniel Walsh 2007-04-16 15:55:31 UTC
Fixed in selinux-policy-2.5.12-3.fc7


Note You need to log in before you can comment on or make changes to this bug.