Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- known_issue_100

Severity:
Major

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
19
Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Experience:
Architecture:

x86_64

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

kernel version: 6.9.0-7.el10.x86_64

distro: RHEL-10.0-20240610.67

How reproducible: 100%

Steps to reproduce

1.run below script

#!/bin/bash
beaker_nic=eno8303
ip link add link ${beaker_nic} name rhevm type bridge
ip link set rhevm up
ip link show rhevm
dhcpcd -C reslove.conf rhevm
scope_link=$(ip addr show rhevm | grep inet6 | grep 'scope link' | awk '{print $2}' | sed -n 's/\(.*\)\/64/\1/p')
modprobe netconsole netconsole=@${scope_link}/rhevm,58888@${scope_link}/
dhcpcd -k rhevm

Expected results

release ip4/ip6 as expected

Actual results

SELinux is preventing /usr/sbin/dhcpcd from using the kill capability.

- - - - Plugin catchall (100. confidence) suggests **************************

If you believe that dhcpcd should have the kill capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c 'dhcpcd' --raw | audit2allow -M my-dhcpcd
semodule -X 300 -i my-dhcpcd.pp

Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Objects Unknown [ capability ]
Source dhcpcd
Source Path /usr/sbin/dhcpcd
Port <Unknown>
Host <Unknown>
Source RPM Packages dhcpcd-10.0.6-3.el10.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-40.13.2-1.el10.noarch
Local Policy RPM selinux-policy-targeted-40.13.2-1.el10.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dell-per750-66.rhts.eng.pek2.redhat.com
Platform Linux dell-per750-66.rhts.eng.pek2.redhat.com
6.9.0-7.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Wed May
22 03:34:22 EDT 2024 x86_64
Alert Count 4
First Seen 2024-06-19 01:42:59 EDT
Last Seen 2024-06-19 02:53:25 EDT
Local ID c17aecef-405c-4429-b1de-b1e94b4e009e

Raw Audit Messages
type=AVC msg=audit(1718780005.71:478): avc: denied { kill } for pid=15847 comm="dhcpcd" capability=5 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=capability permissive=0

type=SYSCALL msg=audit(1718780005.71:478): arch=x86_64 syscall=kill success=no exit=EPERM a0=3db1 a1=e a2=0 a3=4000 items=0 ppid=14477 pid=15847 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm=dhcpcd exe=/usr/sbin/dhcpcd subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=kill AUID=root UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root

Hash: dhcpcd,dhcpc_t,dhcpc_t,capability,kill

is duplicated by

RHEL-37666 [dhcpcd] dhcpcd command failed

Closed

links to

github pr

Assignee:: Zdenek Pytela

Reporter:: Minxi Hou

Developer:: Zdenek Pytela

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/06/19 7:18 AM

Updated:: 2024/06/28 9:10 PM

Target end:: 2024/07/08

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible: 100%

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Activity

People

Dates