AVC for modprobe loading ebtables

Miroslav Grepl mgrepl at redhat.com
Wed Jul 24 06:27:51 UTC 2013 

On 07/12/2013 06:26 PM, Andy Ruch wrote:
> Hello,
>
> I'm implementing a custom policy based on ref policy for RHEL 6.3. I'm 
> receiving the AVC below when the system boots. Should I allow this? I 
> was able to find this related posting 
> (https://bugzilla.redhat.com/show_bug.cgi?id=431562) but it was for an 
> old version of iptables. Maybe ebtables has the same type of bug?
>
> type=PATH msg=audit(07/12/2013 13:15:40.172:185) : item=1 name=(null) 
> inode=4912 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 
> obj=system_u:object_r:ld_so_t:s0
> type=PATH msg=audit(07/12/2013 13:15:40.172:185) : item=0 
> name=/sbin/modprobe inode=12835 dev=08:02 mode=file,755 ouid=root 
> ogid=root rdev=00:00 obj=system_u:object_r:insmod_exec_t:s0
> type=CWD msg=audit(07/12/2013 13:15:40.172:185) :  cwd=/
> type=EXECVE msg=audit(07/12/2013 13:15:40.172:185) : argc=2 
> a0=/sbin/modprobe a1=ebtables
> type=SYSCALL msg=audit(07/12/2013 13:15:40.172:185) : arch=x86_64 
> syscall=execve success=yes exit=0 a0=1078740 a1=7fffb5126460 
> a2=7fffb51266b0 a3=7fffb51261e0 items=2 ppid=2109 pid=2110 auid=unset 
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root 
> fsgid=root tty=(none) ses=unset comm=modprobe exe=/sbin/modprobe 
> subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=modules
> type=AVC msg=audit(07/12/2013 13:15:40.172:185) : avc: denied  { read 
> write } for  pid=2110 comm=modprobe path=socket:[16196] dev=sockfs 
> ino=16196 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 
> tcontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tclass=rawip_socket
>
> Thanks,
> Andy Ruch
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes, this is a leak. Basically you can add dontaudit rules.

require{
  type iptables_t;
  type insmod_t;
}

dontaudit insmod_t iptables_t:rawip_socket { read write };


to your policy. We have dontaudit rules in Fedora.

Regards,
Miroslav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130724/b09af8e8/attachment.html>

More information about the selinux mailing list