Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1608030
Summary: | SELinux is preventing ebtables from 'create' accesses on the rawip_socket Unknown. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | awilliam, dwalsh, fedora, lslebodn, lvrabec, mgrepl, plautrba, pmoore, pwhalen, vondruch |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:c39eef8b25e9ca9cd77de0790832207e3f2ca13e0bd3eafe00444a6b2ac5a3cd;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 02:58:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mikhail
2018-07-24 19:13:16 UTC
Description of problem: systemctl restart firewalld Version-Release number of selected component: selinux-policy-3.14.2-29.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.17.7-200.fc28.x86_64 type: libreport type=PROCTITLE msg=audit(07/27/2018 13:29:07.872:185410) : proctitle=/usr/sbin/ebtables -t filter -L type=SYSCALL msg=audit(07/27/2018 13:29:07.872:185410) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_RAW a2=igmp a3=0x55c4bb817010 items=0 ppid=27580 pid=27737 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(07/27/2018 13:29:07.872:185410) : avc: denied { create } for pid=27737 comm=ebtables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 sh# sesearch -A -s firewalld_t -t firewalld_t -c rawip_socket sh# And AVCs in permissive mode type=PROCTITLE msg=audit(07/27/2018 13:34:58.298:185513) : proctitle=/usr/sbin/ebtables --concurrent -L type=SYSCALL msg=audit(07/27/2018 13:34:58.298:185513) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_RAW a2=igmp a3=0x8 items=0 ppid=28039 pid=28052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(07/27/2018 13:34:58.298:185513) : avc: denied { net_raw } for pid=28052 comm=ebtables capability=net_raw scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=1 type=AVC msg=audit(07/27/2018 13:34:58.298:185513) : avc: denied { create } for pid=28052 comm=ebtables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1 ---- type=PROCTITLE msg=audit(07/27/2018 13:34:58.298:185514) : proctitle=/usr/sbin/ebtables --concurrent -L type=SYSCALL msg=audit(07/27/2018 13:34:58.298:185514) : arch=x86_64 syscall=getsockopt success=no exit=ENOPROTOOPT(Protocol not available) a0=0x3 a1=ip a2=unknown-ipopt-name(0x80) a3=0x7fff84f6df70 items=0 ppid=28039 pid=28052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC msg=audit(07/27/2018 13:34:58.298:185514) : avc: denied { getopt } for pid=28052 comm=ebtables lport=2 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1 This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. *** Bug 1618507 has been marked as a duplicate of this bug. *** Description of problem: Right after logging in on XFCE desktop. Version-Release number of selected component: selinux-policy-3.14.2-32.fc29.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.18.5-300.fc29.armv7hl type: libreport Note that https://bodhi.fedoraproject.org/updates/FEDORA-2018-379c39d97c and https://koji.fedoraproject.org/koji/buildinfo?buildID=1140843 will 'solve' this for now, by switching back to iptables. Presumably at some point in future at least Rawhide will switch back to ebtables, though, so this will show up again... selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |