Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452765 - SELinux is preventing iptables (iptables_t) "read write" to /proc/xen/privcmd
Summary: SELinux is preventing iptables (iptables_t) "read write" to /proc/xen/privcmd
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen
Version: 5.2
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: 5.6
Assignee: Xen Maintainance List
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 514500
TreeView+ depends on / blocked
 
Reported: 2008-06-24 21:33 UTC by Martin Jürgens
Modified: 2010-10-20 11:15 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-20 11:15:40 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Martin Jürgens 2008-06-24 21:33:00 UTC
Description of problem:
I have a Xen guest running. Sometimes, this SELinux warning appears:


Quellkontext                  system_u:system_r:iptables_t
Zielkontext                   system_u:object_r:proc_xen_t
Zielobjekte                   /proc/xen/privcmd [ file ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unbekannt>
Host                          85-10-1xx-51.clients.your-server.de
Source RPM Packages           iptables-1.3.5-4.el5
Target RPM Packages           
RPM-Richtlinie                selinux-policy-2.4.6-137.el5
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   catchall_file
Hostname                      85-10-1xx-51.clients.your-server.de
Plattform                     Linux 85-10-1xx-51.clients.your-server.de
                              2.6.18-92.1.1.el5xen #1 SMP Sat Jun 21 19:21:20
                              EDT 2008 x86_64 x86_64
Anzahl der Alarme             62
Zuerst gesehen                Di 24 Jun 2008 18:03:49 CEST
Zuletzt gesehen               Di 24 Jun 2008 23:29:05 CEST
Lokale ID                     1c22a36f-58ad-4a29-9a94-c7e01f11d8e6
Zeilennummern                 

Raw-Audit-Meldungen           

host=85-10-1xx-51.clients.your-server.de type=AVC msg=audit(1214342945.590:153):
avc:  denied  { read write } for  pid=8880 comm="iptables"
path="/proc/xen/privcmd" dev=proc ino=4026533346
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:proc_xen_t:s0 tclass=file

host=85-10-1xx-51.clients.your-server.de type=AVC msg=audit(1214342945.590:153):
avc:  denied  { read write } for  pid=8880 comm="iptables"
path="/proc/xen/privcmd" dev=proc ino=4026533346
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:proc_xen_t:s0 tclass=file

host=85-10-1xx-51.clients.your-server.de type=SYSCALL
msg=audit(1214342945.590:153): arch=c000003e syscall=59 success=yes exit=0
a0=2e7c170 a1=2e7bd90 a2=7fffe86c0440 a3=0 items=0 ppid=2307 pid=8880
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables"
subj=system_u:system_r:iptables_t:s0 key=(null)

Comment 1 Subhendu Ghosh 2009-03-25 16:23:06 UTC
Reassigning to selinux-policy-targeted

Comment 2 Daniel Walsh 2009-03-25 16:56:43 UTC
This is not a selinux-policy  problem

This is a leaked file descriptor in xen.  iptables is not looking at /proc/xen/privcmd,  xend is and is leaking this when it executes iptables.

It should close fd's when it executes other apps.

fcntl(fd, F_SETFD, FD_CLOEXEC);

Martin 

You can write custom policy to make this error disappear by executing 

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Comment 4 Miroslav Rezanina 2010-10-20 07:28:35 UTC
Hi Martin,
can you write down some situation when message apperas? I'm not able to reproduce it.

Comment 5 Martin Jürgens 2010-10-20 10:32:10 UTC
sorry. cant remember. using kvm now :(

Comment 6 Miroslav Rezanina 2010-10-20 11:15:40 UTC
As there's no know scenario for this problem closing this bz. If you reproduce it feel free to reopen it.


Note You need to log in before you can comment on or make changes to this bug.