1608030 – SELinux is preventing ebtables from 'create' accesses on the rawip_socket Unknown.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1608030 - SELinux is preventing ebtables from 'create' accesses on the rawip_socket Unknown.

Summary: SELinux is preventing ebtables from 'create' accesses on the rawip_socket Unk...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:c39eef8b25e9ca9cd77de079083...
Duplicates (1):	1618507 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-24 19:13 UTC by Mikhail
Modified:	2018-09-12 02:58 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.14.2-34.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-12 02:58:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mikhail 2018-07-24 19:13:16 UTC

Description of problem:
SELinux is preventing ebtables from 'create' accesses on the rawip_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ebtables should be allowed create access on the Unknown rawip_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ebtables' --raw | audit2allow -M my-ebtables
# semodule -X 300 -i my-ebtables.pp

Additional Information:
Source Context                system_u:system_r:firewalld_t:s0
Target Context                system_u:system_r:firewalld_t:s0
Target Objects                Unknown [ rawip_socket ]
Source                        ebtables
Source Path                   ebtables
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-28.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.18.0-0.rc5.git4.1.fc29.x86_64 #1
                              SMP Fri Jul 20 17:00:15 UTC 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-07-24 18:59:39 +05
Last Seen                     2018-07-24 18:59:39 +05
Local ID                      b9bd7a7c-30d6-429b-a385-aeb47b293640

Raw Audit Messages
type=AVC msg=audit(1532440779.933:153): avc:  denied  { create } for  pid=1087 comm="ebtables" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1


Hash: ebtables,firewalld_t,firewalld_t,rawip_socket,create

Version-Release number of selected component:
selinux-policy-3.14.2-28.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.0-0.rc5.git4.1.fc29.x86_64
type:           libreport

Comment 1 Lukas Slebodnik 2018-07-27 11:31:58 UTC

Description of problem:
systemctl restart firewalld

Version-Release number of selected component:
selinux-policy-3.14.2-29.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.7-200.fc28.x86_64
type:           libreport

Comment 2 Lukas Slebodnik 2018-07-27 11:34:34 UTC

type=PROCTITLE msg=audit(07/27/2018 13:29:07.872:185410) : proctitle=/usr/sbin/ebtables -t filter -L 
type=SYSCALL msg=audit(07/27/2018 13:29:07.872:185410) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_RAW a2=igmp a3=0x55c4bb817010 items=0 ppid=27580 pid=27737 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) 
type=AVC msg=audit(07/27/2018 13:29:07.872:185410) : avc:  denied  { create } for  pid=27737 comm=ebtables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=0 

sh# sesearch -A -s firewalld_t -t firewalld_t -c rawip_socket
sh#

Comment 3 Lukas Slebodnik 2018-07-27 11:36:30 UTC

And AVCs in permissive mode
type=PROCTITLE msg=audit(07/27/2018 13:34:58.298:185513) : proctitle=/usr/sbin/ebtables --concurrent -L 
type=SYSCALL msg=audit(07/27/2018 13:34:58.298:185513) : arch=x86_64 syscall=socket success=yes exit=3 a0=inet a1=SOCK_RAW a2=igmp a3=0x8 items=0 ppid=28039 pid=28052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) 
type=AVC msg=audit(07/27/2018 13:34:58.298:185513) : avc:  denied  { net_raw } for  pid=28052 comm=ebtables capability=net_raw  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=1 
type=AVC msg=audit(07/27/2018 13:34:58.298:185513) : avc:  denied  { create } for  pid=28052 comm=ebtables scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1 
----
type=PROCTITLE msg=audit(07/27/2018 13:34:58.298:185514) : proctitle=/usr/sbin/ebtables --concurrent -L 
type=SYSCALL msg=audit(07/27/2018 13:34:58.298:185514) : arch=x86_64 syscall=getsockopt success=no exit=ENOPROTOOPT(Protocol not available) a0=0x3 a1=ip a2=unknown-ipopt-name(0x80) a3=0x7fff84f6df70 items=0 ppid=28039 pid=28052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ebtables exe=/usr/sbin/ebtables-legacy subj=system_u:system_r:firewalld_t:s0 key=(null) 
type=AVC msg=audit(07/27/2018 13:34:58.298:185514) : avc:  denied  { getopt } for  pid=28052 comm=ebtables lport=2 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=rawip_socket permissive=1

Comment 4 Jan Kurik 2018-08-14 08:41:42 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 5 Lukas Vrabec 2018-08-28 09:58:30 UTC

*** Bug 1618507 has been marked as a duplicate of this bug. ***

Comment 6 Paul Whalen 2018-09-04 19:07:59 UTC

Description of problem:
Right after logging in on XFCE desktop. 

Version-Release number of selected component:
selinux-policy-3.14.2-32.fc29.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.18.5-300.fc29.armv7hl
type:           libreport

Comment 7 Adam Williamson 2018-09-04 19:15:50 UTC

Note that https://bodhi.fedoraproject.org/updates/FEDORA-2018-379c39d97c and https://koji.fedoraproject.org/koji/buildinfo?buildID=1140843 will 'solve' this for now, by switching back to iptables. Presumably at some point in future at least Rawhide will switch back to ebtables, though, so this will show up again...

Comment 8 Fedora Update System 2018-09-11 12:51:47 UTC

selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726

Comment 9 Fedora Update System 2018-09-12 02:58:09 UTC

selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.