Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*

Laurent Rineau laurent.rineau__fedora at normalesup.org
Wed Jun 9 10:06:35 UTC 2010 

Hi,

(My second post in this list in two years of lurking.)

My machines run F-13.

My selinux packages are:
  selinux-policy-3.7.19-23.fc13.noarch
  selinux-policy-targeted-3.7.19-23.fc13.noarch


I want to trigger the services aiccu and radvd from NetworkManager, to get a Sixxs IPv6 tunnel and announce a Sixxs IPv6 subnet on the 
LAN. For that, I have created this file:

$ cat /etc/NetworkManager/dispatcher.d/20-aiccu
#!/bin/sh

if [ "$2" = "up" ] ; then
        /sbin/service aiccu start && /sbin/service radvd start || :
fi

if [ "$2" = "down" ] ; then
        /sbin/service radvd stop || :
        /sbin/service aiccu stop || :
fi


It works in permissive mode but, I had to create the following local.te module using audit2allow in order to get that work in enforcing 
mode:

==================================================================
module local 1.1;

require {
        type insmod_exec_t;
        type modules_conf_t;
        type urandom_device_t;
        type syslogd_t;
        type ifconfig_exec_t;
        type sysfs_t;
        type port_t;
        type modules_dep_t;
        type shell_exec_t;
        type bin_t;
        type devlog_t;
        type proc_t;
        type random_device_t;
        type console_device_t;
        type modules_object_t;
        type aiccu_t;
        class tun_socket create;
        class chr_file { read open };
        class capability { net_admin sys_module sys_tty_config };
        class tcp_socket { write name_connect connect shutdown read create };
        class file { execute read execute_no_trans getattr open };
        class sock_file write;
        class netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
        class lnk_file read;
        class unix_dgram_socket { write create connect sendto };
        class udp_socket { write read create connect };
        class dir read;
}

#============= aiccu_t ==============
allow aiccu_t bin_t:lnk_file read;
allow aiccu_t devlog_t:sock_file write;
allow aiccu_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
allow aiccu_t insmod_exec_t:file { read getattr open execute execute_no_trans };
allow aiccu_t modules_conf_t:dir read;
allow aiccu_t modules_conf_t:file { read getattr open };
allow aiccu_t modules_dep_t:file { read getattr open };
allow aiccu_t modules_object_t:file { read open };
allow aiccu_t port_t:tcp_socket name_connect;
allow aiccu_t proc_t:file { read getattr open };
allow aiccu_t random_device_t:chr_file read;
allow aiccu_t self:capability net_admin;
allow aiccu_t self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
allow aiccu_t self:tcp_socket { read write create connect shutdown };
allow aiccu_t self:tun_socket create;
allow aiccu_t self:udp_socket { write read create connect };
allow aiccu_t self:unix_dgram_socket { write create connect };
allow aiccu_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow aiccu_t sysfs_t:file { read getattr open };
allow aiccu_t syslogd_t:unix_dgram_socket sendto;
#!!!! This avc can be allowed using the boolean 'global_ssp'

allow aiccu_t urandom_device_t:chr_file { read open };

allow aiccu_t console_device_t:chr_file open;
allow aiccu_t modules_object_t:file getattr;
allow aiccu_t self:capability { sys_module sys_tty_config };

==================================================================

The AVC audit log is attached (compressed with bzip2). To get it, I used this sort of command:
cnetworkmanager -o off; DATE=`date '+%H:%M'`; cnetworkmanager -o on; sleep 10; sudo sh -c "/sbin/ausearch -ts $DATE -m avc | tee 
/root/audit.log"

This shell one-liner disables the network, stores the current time in $DATE, then enables the network, and uses ausearch (after a sleep 
of 10 seconds) to get AVCs starting from the time $DATE.

I do not understand the AVC. Both aiccu and radvd have their own modules. I am not really used to selinux context transitions. I wonder 
if it is possible that the AVCs are because radvd is running in the selinux context aiccu_t.

-- 
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aiccu-avc.log.bz2
Type: application/x-bzip
Size: 4801 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100609/07dca637/attachment.bin

More information about the selinux mailing list