-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.4
-
None
-
selinux-policy-38.1.52-1.el9
-
No
-
Low
-
1
-
rhel-security-selinux
-
ssg_security
-
25
-
0.5
-
QE ack
-
False
-
False
-
-
No
-
Red Hat Enterprise Linux
-
SELINUX 250219: 2
-
-
Pass
-
Automated
-
Release Note Not Required
-
None
What were you trying to do that didn't work?
When in.telnetd service spawns, an AVC pops up in case the client IP address cannot be found in NSS providers but myhostname:
type=PROCTITLE msg=audit(09/13/2024 09:40:21.381:193) : proctitle=/usr/sbin/in.telnetd type=PATH msg=audit(09/13/2024 09:40:21.381:193) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/13/2024 09:40:21.381:193) : cwd=/ type=SYSCALL msg=audit(09/13/2024 09:40:21.381:193) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffeec38eaf0 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1137 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=in.telnetd exe=/usr/sbin/in.telnetd subj=system_u:system_r:telnetd_t:s0 key=(null) type=AVC msg=audit(09/13/2024 09:40:21.381:193) : avc: denied { search } for pid=1137 comm=in.telnetd name=net dev="proc" ino=11525 scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
The root cause for this is myhostname NSS code queries the status of IPv6 on the system, but this is not allowed, as shown in the in.telnetd backtrace below:
(gdb) bt #0 0x00007f95c2efd886 in __libc_openat64 (fd=fd@entry=-100, file=file@entry=0x7ffcb0222850 "/proc/sys/net/ipv6/conf/all/disable_ipv6", oflag=oflag@entry=524544) at ../sysdeps/unix/sysv/linux/openat64.c:45 #1 0x00007f95c304cf75 in openat64 (__oflag=524544, __path=0x7ffcb0222850 "/proc/sys/net/ipv6/conf/all/disable_ipv6", __fd=-100) at ../src/basic/fileio.c:550 #2 read_virtual_file_at (dir_fd=-100, max_size=18446744073709551615, ret_size=0x0, ret_contents=0x7ffcb0222a50, filename=0x7ffcb0222850 "/proc/sys/net/ipv6/conf/all/disable_ipv6") at ../src/basic/fileio.c:568 #3 read_virtual_file (ret_size=0x0, ret_contents=0x7ffcb0222a50, max_size=18446744073709551615, filename=0x7ffcb0222850 "/proc/sys/net/ipv6/conf/all/disable_ipv6") at ../src/basic/fileio.h:74 #4 read_full_virtual_file (ret_size=0x0, ret_contents=0x7ffcb0222a50, filename=0x7ffcb0222850 "/proc/sys/net/ipv6/conf/all/disable_ipv6") at ../src/basic/fileio.h:77 #5 sysctl_read (property=0x7ffcb0222990 "net/ipv6/conf/all/disable_ipv6", ret=0x7ffcb0222a50) at ../src/basic/sysctl-util.c:111 #6 0x00007f95c3056dc6 in sysctl_read_ip_property.constprop.0 (ret=ret@entry=0x7ffcb0222a50, property=0x7f95c3060715 "disable_ipv6", ifname=0x7f95c3060705 "all", af=10) at ../src/basic/sysctl-util.c:136 #7 0x00007f95c304a2f4 in socket_ipv6_is_enabled () at ../src/basic/socket-util.c:310 #8 0x00007f95c3051c97 in _nss_myhostname_gethostbyaddr2_r (addr=0x7ffcb02233d8, len=<optimized out>, af=10, host=0x7ffcb0222d20, buffer=0x7ffcb0222ee0 "", buflen=1024, errnop=0x7f95c306a6c0, h_errnop=0x7ffcb0222d0c, ttlp=0x0) at ../src/nss-myhostname/nss-myhostname.c:464 #9 0x00007f95c3052167 in _nss_myhostname_gethostbyaddr_r (addr=<optimized out>, len=<optimized out>, af=<optimized out>, host=<optimized out>, buffer=<optimized out>, buflen=<optimized out>, errnop=0x7f95c306a6c0, h_errnop=0x7ffcb0222d0c) at ../src/nss-myhostname/nss-myhostname.c:522 #10 0x00007f95c2f1dddf in __gethostbyaddr_r (addr=addr@entry=0x7ffcb02233d8, len=len@entry=16, type=type@entry=10, resbuf=resbuf@entry=0x7ffcb0222d20, buffer=<optimized out>, buflen=1024, result=<optimized out>, h_errnop=<optimized out>) at ../nss/getXXbyYY_r.c:274 #11 0x00007f95c2f26ef8 in gni_host_inet_name (addrlen=<optimized out>, flags=0, hostlen=255, host=0x7ffcb02234d0 "\330\032\b\303\225\177", sa=0x7ffcb02233d0, tmpbuf=0x7ffcb0222ed0) at getnameinfo.c:232 #12 gni_host_inet (addrlen=<optimized out>, flags=0, hostlen=255, host=0x7ffcb02234d0 "\330\032\b\303\225\177", sa=0x7ffcb02233d0, tmpbuf=0x7ffcb0222ed0) at getnameinfo.c:367 #13 gni_host (addrlen=<optimized out>, flags=0, hostlen=255, host=0x7ffcb02234d0 "\330\032\b\303\225\177", sa=0x7ffcb02233d0, tmpbuf=0x7ffcb0222ed0) at getnameinfo.c:409 #14 __GI_getnameinfo (sa=0x7ffcb02233d0, addrlen=<optimized out>, host=0x7ffcb02234d0 "\330\032\b\303\225\177", hostlen=<optimized out>, serv=0x0, servlen=0, flags=<optimized out>) at getnameinfo.c:523 #15 0x000055cb0553de02 in doit (wholen=28, who=0x7ffcb02233d0) at /usr/src/debug/telnet-0.17-85.el9.x86_64/telnetd/telnetd.c:677 #16 main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at /usr/src/debug/telnet-0.17-85.el9.x86_64/telnetd/telnetd.c:388
This code is legit, it's used to tell underlying login process from which hostname the telnet client is connecting from.
We need to allow the domain to query IPv6 status.
This requires rules for this below:
read_files_pattern(telnetd_t, sysctl_net_t, sysctl_net_t)
What is the impact of this issue to you?
The AVC prevents client IP address resolution, which in the end makes the utmp record store an IP address instead of the hostname, e.g.:
# last root pts/0 192.168.122.1 Fri Sep 13 09:33 - 09:34 (00:01) [...]
instead of
# last root pts/1 p1 Fri Sep 13 09:43 - 09:43 (00:00) [...]
Please provide the package NVR for which the bug is seen:
selinux-policy-38.1.35-2.el9_4.2.noarch
How reproducible is this bug?:
Always
Steps to reproduce
- Install telnet-server package and start the socket
# yum -y install telnet-server # systemctl start telnet.socket
- Make sure the client hostname will not be found by editing /etc/nsswitch.conf
#hosts: files dns myhostname hosts: files myhostname
- Connect using telnet to the system
Expected results
No AVC
Actual results
AVC
- links to
-
RHBA-2024:139849
selinux-policy bug fix and enhancement update