571573 – SELinux is preventing /sbin/ip6tables-multi access to a leaked /proc/mtrr file descriptor.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 571573 - SELinux is preventing /sbin/ip6tables-multi access to a leaked /proc/mtrr file descriptor.

Summary: SELinux is preventing /sbin/ip6tables-multi access to a leaked /proc/mtrr fil...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	netcf
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Laine Stump
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	584158 584160 (view as bug list)
Depends On:
Blocks:	F13VirtBlocker 584881
TreeView+	depends on / blocked

Reported:	2010-03-08 21:18 UTC by Richard W.M. Jones
Modified:	2010-05-17 18:49 UTC (History)
CC List:	11 users (show)
Fixed In Version:	netcf-0.1.6-1.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	584881 (view as bug list)
Environment:
Last Closed:	2010-05-04 06:07:45 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Richard W.M. Jones 2010-03-08 21:18:19 UTC

This is from a fresh Fedora 13 install.  It happens as soon as you start
up libvirtd, and I suggest that it should be an F13 blocker because it's
such an obvious bug.

Description of problem:

SELinux is preventing /sbin/ip6tables-multi access to a leaked /proc/mtrr file
descriptor.

Detailed Description:

[iptables has a permissive type (iptables_t). This access was not denied.]

SELinux denied access requested by the ip6tables command. It looks like this is
either a leaked descriptor or ip6tables output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /proc/mtrr. You should generate a bugzilla on selinux-policy, and
it will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
Target Context                system_u:object_r:mtrr_device_t:s0
Target Objects                /proc/mtrr [ file ]
Source                        iptables
Source Path                   /sbin/iptables-multi
Port                          <Unknown>
Host                          thinkpad.home.annexia.org
Source RPM Packages           iptables-ipv6-1.4.6-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.11-1.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     thinkpad.home.annexia.org
Platform                      Linux thinkpad.home.annexia.org
                              2.6.33-1.fc13.i686.PAE #1 SMP Wed Feb 24 19:54:49
                              UTC 2010 i686 i686
Alert Count                   299
First Seen                    Mon 08 Mar 2010 07:52:35 PM GMT
Last Seen                     Mon 08 Mar 2010 07:52:35 PM GMT
Local ID                      d189845d-4780-440f-9689-2ff43738bdb8
Line Numbers                  

Raw Audit Messages            

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=AVC msg=audit(1268077955.535:92): avc: 
denied  { write } for  pid=4463 comm="ip6tables" path="/proc/mtrr" dev=proc
ino=4026531909 scontext=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

node=thinkpad.home.annexia.org type=SYSCALL msg=audit(1268077955.535:92):
arch=40000003 syscall=11 success=yes exit=0 a0=8434810 a1=8412c40 a2=840f7b0
a3=8412c40 items=0 ppid=4453 pid=4463 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="ip6tables"
exe="/sbin/ip6tables-multi"
subj=unconfined_u:system_r:iptables_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):

libvirt-0.7.6-1.fc13.i686
selinux-policy-3.7.11-1.fc13.noarch

Comment 1 Laine Stump 2010-03-15 15:10:33 UTC

(same comment I just posted in Bug 537427)

netcf does run (via system(3)) "/etc/init.d/iptables condrestart", which looks
like it could call ip6tables-multi (it calls "ip6tables" which, on F12 anyway,
is a symlink to ip6tables-multi).

netcf's system() call should be replaced with something like virRun from
libvirt so that all the fds will be closed, but of course ip6tables-multi
should also not be writing to a fd it didn't open itself.

I'll try to replace system() in netcf this week.

Comment 2 Laine Stump 2010-03-19 15:31:43 UTC

I've posted two fixes to the netcf-devel mailing list:

https://fedorahosted.org/pipermail/netcf-devel/2010-March/000407.html
https://fedorahosted.org/pipermail/netcf-devel/2010-March/000408.html

Comment 3 Adam Williamson 2010-04-23 18:29:28 UTC

Discussed at last week's and today's blocker meetings. We agreed this is a blocker. Can we hope the patches will be approved and applied soon? Thanks!



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 4 Fedora Update System 2010-04-24 02:39:48 UTC

netcf-0.1.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc12

Comment 5 Fedora Update System 2010-04-24 04:14:48 UTC

netcf-0.1.6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc13

Comment 6 Fedora Update System 2010-04-24 04:16:31 UTC

netcf-0.1.6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc11

Comment 7 Fedora Update System 2010-04-25 14:00:34 UTC

netcf-0.1.6-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update netcf'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc13

Comment 8 Fedora Update System 2010-04-27 02:15:02 UTC

netcf-0.1.6-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update netcf'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/netcf-0.1.6-1.fc12

Comment 9 Adam Williamson 2010-05-03 14:02:37 UTC

This update now has +3 karma; can it pleased be pushed to f13 stable so we can close off this release blocker report? Thanks.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 10 Fedora Update System 2010-05-04 06:07:32 UTC

netcf-0.1.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2010-05-13 19:24:02 UTC

netcf-0.1.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-05-13 19:33:43 UTC

netcf-0.1.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Cole Robinson 2010-05-17 18:49:00 UTC

*** Bug 584158 has been marked as a duplicate of this bug. ***

Comment 14 Cole Robinson 2010-05-17 18:49:12 UTC

*** Bug 584160 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.