-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-8.9.0
-
None
-
selinux-policy-3.14.3-135.el8
-
None
-
Moderate
-
rhel-security-selinux
-
ssg_security
-
23
-
None
-
QE ack
-
False
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
-
Pass
-
Automated
-
Release Note Not Required
-
None
What were you trying to do that didn't work?
When conntrackd is configured with "Filter From Kernelspace", an AVC pops up when starting the service:
type=PROCTITLE msg=audit(01/22/24 12:44:24.381:324) : proctitle=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf type=SYSCALL msg=audit(01/22/24 12:44:24.381:324) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x10 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7fffc0d9d3a0 items=0 ppid=1 pid=28494 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=conntrackd exe=/usr/sbin/conntrackd subj=system_u:system_r:conntrackd_t:s0 key=(null) type=AVC msg=audit(01/22/24 12:44:24.381:324) : avc: denied { sys_admin } for pid=28494 comm=conntrackd capability=sys_admin scontext=system_u:system_r:conntrackd_t:s0 tcontext=system_u:system_r:conntrackd_t:s0 tclass=capability permissive=0
Configuration file used to reproduce (/etc/conntrackd/conntrackd.conf):
Sync { Mode NOTRACK { } UDP { IPv4_address 225.0.0.50 IPv4_Destination_Address 192.168.100.100 Port 3780 Interface itf0 <<<<<<<<<<<<<<<< SET YOUR ITF HERE SndSocketBuffer 4194304 RcvSocketBuffer 4194304 } } General { Nice -20 HashSize 32768 HashLimit 131072 LogFile off Syslog on LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl Backlog 20 } NetlinkBufferSize 4194304 NetlinkBufferSizeMaxGrowth 12582912 Filter From Kernelspace { <<<<<<<<<<<<<<<< HERE Protocol Accept { TCP SCTP DCCP } Address Ignore { IPv4_address 169.254.100.4 IPv4_address 169.254.100.253 } } }
Please provide the package NVR for which bug is seen:
conntrack-tools-1.4.4-11.el8
selinux-policy-3.14.3-128.el8_9.1
How reproducible:
Always
Steps to reproduce
See above
- is cloned by
-
RHEL-22277 AVC "sys_admin + bpf" on conntrackd when using Kernel space filtering
-
- Closed
-
- links to
-
RHBA-2023:121335 selinux-policy bug fix and enhancement update
- mentioned on