1539008 – SELinux prevents the ntop service from running

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1539008 - SELinux prevents the ntop service from running

Summary: SELinux prevents the ntop service from running

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Milos Malik
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-26 11:54 UTC by Milos Malik
Modified:	2018-08-08 15:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-284.37.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-08-08 15:33:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2018-01-26 11:54:25 UTC

Description of problem:

Version-Release number of selected component (if applicable):
ntop-5.0.1-13.fc27.x86_64
selinux-policy-3.13.1-283.21.fc27.noarch
selinux-policy-devel-3.13.1-283.21.fc27.noarch
selinux-policy-targeted-3.13.1-283.21.fc27.noarch

How reproducible:
* always

Steps to Reproduce:
1. get a Fedora27 machine (targeted policy is active)
2. install the ntop package
3. start the ntop service
4. search for SELinux denials

Actual results (enforcing mode):
----
time->Fri Jan 26 06:46:20 2018
type=AVC msg=audit(1516967180.008:897): avc:  denied  { map } for  pid=25452 comm="ntop" path="/var/lib/ntop/prefsCache.db" dev="vda1" ino=395484 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:object_r:ntop_var_lib_t:s0 tclass=file permissive=0
----

Expected results:
* no SELinux denials

Comment 1 Milos Malik 2018-01-26 11:55:35 UTC

Actual results (permissive mode):
----
time->Fri Jan 26 06:47:19 2018
type=AVC msg=audit(1516967239.424:908): avc:  denied  { map } for  pid=29007 comm="ntop" path="/var/lib/ntop/prefsCache.db" dev="vda1" ino=395484 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:object_r:ntop_var_lib_t:s0 tclass=file permissive=1
----
time->Fri Jan 26 06:47:19 2018
type=AVC msg=audit(1516967239.428:909): avc:  denied  { map } for  pid=29007 comm="ntop" path="/var/lib/ntop/ntop_pw.db" dev="vda1" ino=395550 scontext=system_u:system_r:ntop_t:s0 tcontext=unconfined_u:object_r:ntop_var_lib_t:s0 tclass=file permissive=1
----
time->Fri Jan 26 06:47:19 2018
type=AVC msg=audit(1516967239.444:910): avc:  denied  { map } for  pid=29007 comm="ntop" path="socket:[74665]" dev="sockfs" ino=74665 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=packet_socket permissive=1
----
time->Fri Jan 26 06:47:19 2018
type=AVC msg=audit(1516967239.448:911): avc:  denied  { map } for  pid=29007 comm="ntop" path="/dev/usbmon0" dev="devtmpfs" ino=10900 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1
----
time->Fri Jan 26 06:47:19 2018
type=AVC msg=audit(1516967239.450:912): avc:  denied  { create } for  pid=29007 comm="ntop" scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=netlink_netfilter_socket permissive=1
----

Comment 2 Milos Malik 2018-06-11 14:24:29 UTC

Re-run of the automated TC in enforcing mode on Fedora 28 revealed:
----
type=PROCTITLE msg=audit(06/11/2018 16:17:20.923:265) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=PATH msg=audit(06/11/2018 16:17:20.923:265) : item=0 name=/var/lib/ntop/ inode=25714921 dev=fc:02 mode=dir,755 ouid=ntop ogid=ntop rdev=00:00 obj=system_u:object_r:ntop_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 16:17:20.923:265) : cwd=/ 
type=SYSCALL msg=audit(06/11/2018 16:17:20.923:265) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffc9b22c410 a2=O_RDWR|O_CREAT a3=0x1a0 items=1 ppid=1 pid=7953 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:17:20.923:265) : avc:  denied  { dac_override } for  pid=7953 comm=ntop capability=dac_override  scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=capability permissive=0 
----

Re-run of the automated TC in permissive mode on Fedora 28 revealed:
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.189:278) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=PATH msg=audit(06/11/2018 16:19:58.189:278) : item=1 name=/var/lib/ntop/prefsCache.db inode=25714962 dev=fc:02 mode=file,640 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ntop_var_lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 16:19:58.189:278) : item=0 name=/var/lib/ntop/ inode=25714921 dev=fc:02 mode=dir,755 ouid=ntop ogid=ntop rdev=00:00 obj=system_u:object_r:ntop_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 16:19:58.189:278) : cwd=/ 
type=SYSCALL msg=audit(06/11/2018 16:19:58.189:278) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fffefee1780 a2=O_RDWR|O_CREAT a3=0x1a0 items=2 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.189:278) : avc:  denied  { dac_override } for  pid=14274 comm=ntop capability=dac_override  scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.212:279) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=MMAP msg=audit(06/11/2018 16:19:58.212:279) : fd=5 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/11/2018 16:19:58.212:279) : arch=x86_64 syscall=mmap success=yes exit=140366266060800 a0=0x0 a1=0x3000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.212:279) : avc:  denied  { map } for  pid=14274 comm=ntop path=/var/lib/ntop/prefsCache.db dev="vda2" ino=25714962 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:object_r:ntop_var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.226:280) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=MMAP msg=audit(06/11/2018 16:19:58.226:280) : fd=6 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/11/2018 16:19:58.226:280) : arch=x86_64 syscall=mmap success=yes exit=140366266048512 a0=0x0 a1=0x3000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.226:280) : avc:  denied  { map } for  pid=14274 comm=ntop path=/var/lib/ntop/ntop_pw.db dev="vda2" ino=25714958 scontext=system_u:system_r:ntop_t:s0 tcontext=unconfined_u:object_r:ntop_var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.249:281) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=MMAP msg=audit(06/11/2018 16:19:58.249:281) : fd=7 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/11/2018 16:19:58.249:281) : arch=x86_64 syscall=mmap success=yes exit=140366123274240 a0=0x0 a1=0x200000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.249:281) : avc:  denied  { map } for  pid=14274 comm=ntop path=socket:[105132] dev="sockfs" ino=105132 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=packet_socket permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.252:282) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=SYSCALL msg=audit(06/11/2018 16:19:58.252:282) : arch=x86_64 syscall=socket success=yes exit=7 a0=bluetooth a1=SOCK_RAW a2=icmp a3=0x7fa99091de40 items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.252:282) : avc:  denied  { create } for  pid=14274 comm=ntop scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=bluetooth_socket permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.405:283) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=SYSCALL msg=audit(06/11/2018 16:19:58.405:283) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x7 a1=0x800448d2 a2=0x5597ce9a6870 a3=0x7fa99091de40 items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.405:283) : avc:  denied  { ioctl } for  pid=14274 comm=ntop path=socket:[105137] dev="sockfs" ino=105137 ioctlcmd=0x48d2 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=bluetooth_socket permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.405:284) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=SYSCALL msg=audit(06/11/2018 16:19:58.405:284) : arch=x86_64 syscall=socket success=yes exit=7 a0=bluetooth a1=SOCK_RAW a2=icmp a3=0x5597ce999010 items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.405:284) : avc:  denied  { create } for  pid=14274 comm=ntop scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=bluetooth_socket permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.405:285) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=SOCKADDR msg=audit(06/11/2018 16:19:58.405:285) : saddr={ fam=bluetooth (unsupported) } 
type=SYSCALL msg=audit(06/11/2018 16:19:58.405:285) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x7fffefedd622 a2=0x6 a3=0x5597ce999010 items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.405:285) : avc:  denied  { bind } for  pid=14274 comm=ntop scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=bluetooth_socket permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.405:286) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=SYSCALL msg=audit(06/11/2018 16:19:58.405:286) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_SOCKET a2=SO_TIMESTAMP a3=0x7fffefedd61c items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.405:286) : avc:  denied  { setopt } for  pid=14274 comm=ntop scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=bluetooth_socket permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.405:287) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=MMAP msg=audit(06/11/2018 16:19:58.405:287) : fd=7 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/11/2018 16:19:58.405:287) : arch=x86_64 syscall=mmap success=yes exit=140366264639488 a0=0x0 a1=0x4b000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.405:287) : avc:  denied  { map } for  pid=14274 comm=ntop path=/dev/usbmon0 dev="devtmpfs" ino=11480 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.471:288) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=SYSCALL msg=audit(06/11/2018 16:19:58.471:288) : arch=x86_64 syscall=socket success=yes exit=7 a0=netlink a1=SOCK_RAW a2=pup a3=0x7fa99091de40 items=0 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.471:288) : avc:  denied  { create } for  pid=14274 comm=ntop scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=netlink_netfilter_socket permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:19:58.525:290) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=PATH msg=audit(06/11/2018 16:19:58.525:290) : item=1 name=/var/lib/ntop/macPrefix.db inode=25714963 dev=fc:02 mode=file,640 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ntop_var_lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/11/2018 16:19:58.525:290) : item=0 name=/var/lib/ntop/ inode=25714921 dev=fc:02 mode=dir,755 ouid=ntop ogid=ntop rdev=00:00 obj=system_u:object_r:ntop_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 16:19:58.525:290) : cwd=/ 
type=SYSCALL msg=audit(06/11/2018 16:19:58.525:290) : arch=x86_64 syscall=openat success=yes exit=8 a0=0xffffff9c a1=0x7fffefee1a10 a2=O_RDWR|O_CREAT a3=0x1a0 items=2 ppid=1 pid=14274 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:19:58.525:290) : avc:  denied  { dac_override } for  pid=14274 comm=ntop capability=dac_override  scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(06/11/2018 16:20:21.986:294) : proctitle=/usr/sbin/ntop @/etc/ntop.conf 
type=MMAP msg=audit(06/11/2018 16:20:21.986:294) : fd=7 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/11/2018 16:20:21.986:294) : arch=x86_64 syscall=mmap success=yes exit=140157802909696 a0=0x0 a1=0x200000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=14970 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ntop exe=/usr/sbin/ntop subj=system_u:system_r:ntop_t:s0 key=(null) 
type=AVC msg=audit(06/11/2018 16:20:21.986:294) : avc:  denied  { map } for  pid=14970 comm=ntop path=socket:[107247] dev="sockfs" ino=107247 scontext=system_u:system_r:ntop_t:s0 tcontext=system_u:system_r:ntop_t:s0 tclass=packet_socket permissive=1 
----

Comment 4 Milos Malik 2018-06-11 15:11:59 UTC

commit 13128e130e41223d7e2fde6034a3f5cd564ace5f (HEAD -> fb-ntop-service, origin/fb-ntop-service, fb-ntop_service)
Author: Milos Malik <mmalik>
Date:   Mon Jun 11 16:42:17 2018 +0200

    Allow ntop_t domain to create/map various sockets/files.
    
    Policy capability called Extended socket class brought
    new set of classes that ntop_t needs to access.
    Allow ntop_t domain to map files under /var/lib/ntop.
    Add dac_override capability to ntop_t domain.
    resolves BZ#1539008

Comment 5 Fedora Update System 2018-07-27 09:22:35 UTC

selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 6 Fedora Update System 2018-07-27 15:39:01 UTC

selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 7 Fedora Update System 2018-08-08 15:33:52 UTC

selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.