Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-22277

AVC "sys_admin + bpf" on conntrackd when using Kernel space filtering

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.4
    • rhel-9.3.0
    • selinux-policy
    • None
    • selinux-policy-38.1.31-1.el9
    • None
    • Moderate
    • rhel-security-selinux
    • ssg_security
    • 23
    • None
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • None
    • Hide

      The conntrackd service does not trigger any SELinux denials when the kernel space filtering is enabled. The conntrackd service starts and runs successfully in enforcing mode.

      Show
      The conntrackd service does not trigger any SELinux denials when the kernel space filtering is enabled. The conntrackd service starts and runs successfully in enforcing mode.
    • Pass
    • Automated
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      When conntrackd is configured with "Filter From Kernelspace", an AVC pops up when starting the service:

      type=PROCTITLE msg=audit(01/22/2024 12:46:49.999:248) : proctitle=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf 
type=SYSCALL msg=audit(01/22/2024 12:46:49.999:248) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x10 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7ffc4d1a8210 items=0 ppid=1 pid=1927 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=conntrackd exe=/usr/sbin/conntrackd subj=system_u:system_r:conntrackd_t:s0 key=(null) 
type=AVC msg=audit(01/22/2024 12:46:49.999:248) : avc:  denied  { sys_admin } for  pid=1927 comm=conntrackd capability=sys_admin  scontext=system_u:system_r:conntrackd_t:s0 tcontext=system_u:system_r:conntrackd_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(01/22/2024 12:46:49.999:248) : avc:  denied  { bpf } for  pid=1927 comm=conntrackd capability=bpf  scontext=system_u:system_r:conntrackd_t:s0 tcontext=system_u:system_r:conntrackd_t:s0 tclass=capability2 permissive=0

      Configuration file used to reproduce (/etc/conntrackd/conntrackd.conf):

      Sync {
        Mode NOTRACK {
        }
        UDP {
                IPv4_address 225.0.0.50
                IPv4_Destination_Address 192.168.100.100
                Port 3780
                Interface itf0               <<<<<<<<<<<<<<<< SET YOUR ITF HERE
                SndSocketBuffer 4194304
                RcvSocketBuffer 4194304
        }
}
General {
        Nice -20
        HashSize 32768
        HashLimit 131072
        LogFile off
        Syslog on
        LockFile /var/lock/conntrack.lock
        UNIX {
                Path /var/run/conntrackd.ctl
                Backlog 20
        }
        NetlinkBufferSize 4194304
        NetlinkBufferSizeMaxGrowth 12582912
        Filter From Kernelspace {          <<<<<<<<<<<<<<<< HERE
                Protocol Accept {
                        TCP
                        SCTP
                        DCCP
                }
                Address Ignore {
                        IPv4_address 169.254.100.4
                        IPv4_address 169.254.100.253
                }
        }
}

      Please provide the package NVR for which bug is seen:

      conntrack-tools-1.4.7-2.el9
      selinux-policy-38.1.23-1.el9

      How reproducible:

      Always

      Steps to reproduce

      See above

              rh-ee-jmarcin Juraj Marcin
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: