ifconfig SELinux alert in Fedora 11

Paul Howarth paul at city-fan.org
Thu Jun 25 21:12:51 UTC 2009 

On Thu, 25 Jun 2009 13:24:14 -0400
"Christopher J. PeBenito" <cpebenito at tresys.com> wrote:

> On Tue, 2009-06-23 at 16:11 +0100, Paul Howarth wrote:
> > On Mon, 22 Jun 2009 10:37:10 +0100
> > Paul Howarth <paul at city-fan.org> wrote:
> > 
> > > On 22/06/09 07:58, Paul Howarth wrote:
> > > > On Sun, 21 Jun 2009 01:49:01 +0530
> > > > Rahul Sundaram<sundaram at fedoraproject.org>  wrote:
> > > >
> > > >> On 06/20/2009 04:41 PM, Daniel J Walsh wrote:
> > > >>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote:
> > > >>> Is it continuing to happen or was this a one time
> > > >>> occurrence.  The only code that I imagine opens and
> > > >>> reads /selinux/mls is libselinux and this opens it, reads the
> > > >>> value and closes the file in the same function call, so it
> > > >>> can not leak.
> > > >> It happens everytime I connect to a CDMA network via
> > > >> NetworkManager and run vpnc.
> > > >>
> > > >> Rahul
> > > >
> > > > I've just had a very similar denial, when starting openvpn via
> > > > NetworkManager:
> > > >
> > > > type=AVC msg=audit(1245653684.772:27): avc:  denied  { read }
> > > > for pidT86 comm="openvpn" name="mls" dev=selinuxfs ino
> > > > scontext=system_u:system_r:openvpn_t:s0
> > > > tcontext=system_u:object_r:security_t:s0 tclass=file
> > > > type=SYSCALL msg=audit(1245653684.772:27): archÀ00003e
> > > > syscall=2 success=no exit=-13 a0ff5652e270 a1=0 a2ff5652e27c
> > > > a3ÿfffff8 items=0 ppidT75 pidT86 auidB94967295 uid=0 gid=0
> > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> > > > sesB94967295 comm="openvpn" exe="/usr/sbin/openvpn"
> > > > subj=system_u:system_r:openvpn_t:s0 key=(null)
> > > >
> > > > Didn't stop openvpn working.
> > > 
> > > Just got this one too, after running "rndc querylog" to turn on
> > > named's query logging from a root shell.
> > > 
> > > type=AVC msg=audit(1245663191.793:115): avc:  denied  { read }
> > > for pid!774 comm="rndc" name="mls" dev=selinuxfs ino 
> > > scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 
> > > tcontext=system_u:object_r:security_t:s0 tclass=file
> > > type=SYSCALL msg=audit(1245663191.793:115): archÀ00003e syscall=2 
> > > success=no exit=-13 a0ffa1a717d0 a1=0 a2ffa1a717dc a3ÿfffff8 
> > > items=0 ppid800 pid!774 auidP0 uid=0 gid=0 euid=0 suid=0
> > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc"
> > > exe="/usr/sbin/rndc"
> > > subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null)
> > 
> > /usr/sbin/rndc is linked against libselinux, which ties in with
> > Stephen's explanation of the openvpn/vpnc issue too.
> > 
> > I'm adding these to local policy for now:
> > 
> > selinux_dontaudit_read_fs(ifconfig_t)
> > selinux_dontaudit_read_fs(ndc_t)
> > selinux_dontaudit_read_fs(openvpn_t)
> 
> In the long term, the more appropriate interface would be
> seutil_dontaudit_libselinux_linked(), which is for programs that link
> against libselinux for basic reasons, such as doing a setfilecon() or
> setfscreatecon(), but don't use the features that depend on the
> libselinux constructor.

That makes sense for ifconfig_t and ndc_t that are actually linked
against libselinux, but openvpn_t uses sysnet_exec_ifconfig so perhaps
that interface now needs to add seutil_dontaudit_libselinux_linked()
for its calling domain?

Paul.

More information about the fedora-selinux-list mailing list