PDA

View Full Version : Fedora 7: SELinux and ping problem



greno
3rd August 2007, 12:37 AM
Recently I've been noticing things like this in my system log:

Aug 2 19:26:50 grp-01-00-51 setroubleshoot: SELinux is preventing /bin/ping (ping_t) "node_bind" to <Unknown> (node_t). For complete SELinux messages. run sealert -l d61ac476-5b30-4bdd-a157-ae782318d717

This just started recently. Maybe due to new updates?

Some of my startup scripts call 'ping' to check on various services. Now these are not running.
Anyone know how to fix this?

robatino
3rd August 2007, 01:34 AM
Run the specified command "sealert -l d61ac476-5b30-4bdd-a157-ae782318d717" in a terminal (you don't have to be root) and post the output.

greno
3rd August 2007, 01:48 AM
# sealert -l d61ac476-5b30-4bdd-a157-ae782318d717
Summary
SELinux is preventing /bin/ping (ping_t) "node_bind" to <Unknown> (node_t).

Detailed Description
SELinux denied access requested by /bin/ping. It is not expected that this
access is required by /bin/ping and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.

Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.

Additional Information

Source Context system_u:system_r:ping_t
Target Context system_u:object_r:node_t
Target Objects None [ rawip_socket ]
Affected RPM Packages iputils-20070202-3.fc7 [application]
Policy RPM selinux-policy-2.6.4-23.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name grp-01-00-51
Platform Linux grp-01-00-51 2.6.21-1.3228.fc7 #1 SMP Tue
Jun 12 15:37:31 EDT 2007 i686 athlon
Alert Count 1
First Seen Thu Aug 2 19:26:48 2007
Last Seen Thu Aug 2 19:26:48 2007
Local ID d61ac476-5b30-4bdd-a157-ae782318d717
Line Numbers

Raw Audit Messages

avc: denied { node_bind } for comm="ping" egid=0 euid=0 exe="/bin/ping" exit=-13
fsgid=0 fsuid=0 gid=0 items=0 pid=2296 saddr=192.168.1.240
scontext=system_u:system_r:ping_t:s0 sgid=0 subj=system_u:system_r:ping_t:s0
suid=0 tclass=rawip_socket tcontext=system_u:object_r:node_t:s0 tty=(none) uid=0

I looked at this but it really didn't help much.

robatino
3rd August 2007, 01:59 AM
File a bug at bugzilla.redhat.com under the selinux-policy package - it's probably not iputils since that hasn't been updated since F7 came out - and include this info. If it's the wrong package, they'll correct it. My experience is that these SELinux-related bugs get fixed pretty quickly once they're reported - I've reported a few myself - though you might have to wait a few weeks for an updated selinux-policy that fixes it (if that is indeed the problem).

greno
3rd August 2007, 02:13 AM
Bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250701