ifconfig SELinux alert in Fedora 11
Christopher J. PeBenito
cpebenito at tresys.com
Thu Jun 25 17:24:14 UTC 2009
On Tue, 2009-06-23 at 16:11 +0100, Paul Howarth wrote:
> On Mon, 22 Jun 2009 10:37:10 +0100
> Paul Howarth <paul at city-fan.org> wrote:
>
> > On 22/06/09 07:58, Paul Howarth wrote:
> > > On Sun, 21 Jun 2009 01:49:01 +0530
> > > Rahul Sundaram<sundaram at fedoraproject.org> wrote:
> > >
> > >> On 06/20/2009 04:41 PM, Daniel J Walsh wrote:
> > >>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote:
> > >>> Is it continuing to happen or was this a one time occurrence. The
> > >>> only code that I imagine opens and reads /selinux/mls is
> > >>> libselinux and this opens it, reads the value and closes the file
> > >>> in the same function call, so it can not leak.
> > >> It happens everytime I connect to a CDMA network via NetworkManager
> > >> and run vpnc.
> > >>
> > >> Rahul
> > >
> > > I've just had a very similar denial, when starting openvpn via
> > > NetworkManager:
> > >
> > > type=AVC msg=audit(1245653684.772:27): avc: denied { read } for
> > > pid=5486 comm="openvpn" name="mls" dev=selinuxfs ino=12
> > > scontext=system_u:system_r:openvpn_t:s0
> > > tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL
> > > msg=audit(1245653684.772:27): arch=c000003e syscall=2 success=no
> > > exit=-13 a0=7fff5652e270 a1=0 a2=7fff5652e27c a3=fffffff8 items=0
> > > ppid=5475 pid=5486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn"
> > > exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0
> > > key=(null)
> > >
> > > Didn't stop openvpn working.
> >
> > Just got this one too, after running "rndc querylog" to turn on
> > named's query logging from a root shell.
> >
> > type=AVC msg=audit(1245663191.793:115): avc: denied { read } for
> > pid=21774 comm="rndc" name="mls" dev=selinuxfs ino=12
> > scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:security_t:s0 tclass=file
> > type=SYSCALL msg=audit(1245663191.793:115): arch=c000003e syscall=2
> > success=no exit=-13 a0=7fffa1a717d0 a1=0 a2=7fffa1a717dc a3=fffffff8
> > items=0 ppid=14800 pid=21774 auid=500 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc"
> > exe="/usr/sbin/rndc"
> > subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null)
>
> /usr/sbin/rndc is linked against libselinux, which ties in with
> Stephen's explanation of the openvpn/vpnc issue too.
>
> I'm adding these to local policy for now:
>
> selinux_dontaudit_read_fs(ifconfig_t)
> selinux_dontaudit_read_fs(ndc_t)
> selinux_dontaudit_read_fs(openvpn_t)
In the long term, the more appropriate interface would be
seutil_dontaudit_libselinux_linked(), which is for programs that link
against libselinux for basic reasons, such as doing a setfilecon() or
setfscreatecon(), but don't use the features that depend on the
libselinux constructor.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the selinux
mailing list