LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	SELINUX and arpwatch policy problem on SL6.5?
From:	dave peck <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Sat, 22 Feb 2014 10:28:40 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (120 lines)

Hi All,

Is anyone else having problems starting arpwatch with SL6.5--while it
worked fine with SL6.4? (arpwatch-2.1a15-14.el6.x86_64)

All packages are up to date and SELINUX is set to enforcing: the
arpwatch rc init script is failing with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# service arpwatch start
Starting arpwatch: arpwatch: lookup_device: Can't open netlink socket
13:Permission denied
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

and the following is being logged in /var/log/audit/audit.log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
type=SYSCALL msg=audit(1392643622.271:62714): arch=c000003e syscall=54
success=yes exit=0 a0=0 a1=107 a2=1 a3=7fff757aa000 items=0 ppid=1
pid=15377 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=5 comm="arpwatch" exe="/usr/sbin/arpwatch"
subj=unconfined_u:system_r:arpwatch_t:s0 key=(null)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The setroubleshoot details show:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SELinux is preventing /usr/sbin/arpwatch from create access on the
netlink_socket .

*****  Plugin catchall (100. confidence) suggests
***************************

If you believe that arpwatch should be allowed create access on the
netlink_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep arpwatch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:arpwatch_t:s0
Target Context                unconfined_u:system_r:arpwatch_t:s0
Target Objects                 [ netlink_socket ]
Source                        arpwatch
Source Path                   /usr/sbin/arpwatch
Port                          <Unknown>
Host                          xuxa
Source RPM Packages           arpwatch-2.1a15-14.el6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-231.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xuxa
Platform                      Linux xuxa 2.6.32-431.5.1.el6.x86_64 #1
SMP Tue
                              Feb 11 13:30:01 CST 2014 x86_64 x86_64
Alert Count                   8
First Seen                    Sat 22 Feb 2014 05:11:01 MST
Last Seen                     Sat 22 Feb 2014 09:51:20 MST
Local ID                      f6f79ef8-ccb6-4b22-a6af-89f25435fead

Raw Audit Messages
type=AVC msg=audit(1393087880.238:1100): avc:  denied  { create } for
pid=29377 comm="arpwatch" scontext=unconfined_u:system_r:arpwatch_t:s0
tcontext=unconfined_u:system_r:arpwatch_t:s0 tclass=netlink_socket


type=SYSCALL msg=audit(1393087880.238:1100): arch=x86_64 syscall=socket
success=no exit=EACCES a0=10 a1=3 a2=c a3=4 items=0 ppid=29376 pid=29377
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4
ses=7 comm=arpwatch exe=/usr/sbin/arpwatch
subj=unconfined_u:system_r:arpwatch_t:s0 key=(null)

Hash: arpwatch,arpwatch_t,arpwatch_t,netlink_socket,create

audit2allow

#============= arpwatch_t ==============
allow arpwatch_t self:netlink_socket create;

audit2allow -R

#============= arpwatch_t ==============
allow arpwatch_t self:netlink_socket create;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I've tried generating a local policy for this using audit2allow but is
is failing with the following and the intermediate
'my-arpwatch-pol.pp.te' file consists of just the module declaration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep arpwatch /var/log/audit/audit.log | audit2allow -M
my-arpwatch-pol.pp
compilation failed:
my-arpwatch-pol.pp.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from
my-arpwatch-pol.pp.te
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I've done several internet searches on this and the matching audit
failures all seem to point to a problem with the selinux-policy--and
that it was 'fixed' several releases ago. These packages look like their
up to date to me:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# rpm -qa | grep selinux-policy
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Not having arpwatch running isn't a big deal, but it's become really
annoying to me that I can't seem to fix it. Has anyone got this to work
and what did you do--or is this problem just on my systems?

Thank you and my best regards,

    ==> dave

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV