Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 443624 - tcpdump requires additional SELinux privileges
Summary: tcpdump requires additional SELinux privileges
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r8
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-17 13:08 UTC by Amadeusz Sławiński
Modified: 2012-12-13 10:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2012-11-17 13:08:18 UTC 
# tcpdump
tcpdump: Can't open netlink socket 13:Permission denied

Enforcing:
Nov 17 13:34:38 lain kernel: [ 4257.373410] type=1400 audit(1353155678.574:1066): avc:  denied  { rlimitinh } for  pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:34:38 lain kernel: [ 4257.373422] type=1400 audit(1353155678.574:1067): avc:  denied  { siginh } for  pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:34:38 lain kernel: [ 4257.373443] type=1400 audit(1353155678.574:1068): avc:  denied  { noatsecure } for  pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:34:38 lain kernel: [ 4257.442216] type=1400 audit(1353155678.643:1069): avc:  denied  { search } for  pid=31625 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:34:38 lain kernel: [ 4257.442256] type=1400 audit(1353155678.643:1070): avc:  denied  { search } for  pid=31625 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:34:38 lain kernel: [ 4257.442280] type=1400 audit(1353155678.643:1071): avc:  denied  { create } for  pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket

Permissive:
Nov 17 13:34:50 lain kernel: [ 4269.707051] type=1400 audit(1353155690.932:1073): avc:  denied  { rlimitinh } for  pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:34:50 lain kernel: [ 4269.707061] type=1400 audit(1353155690.932:1074): avc:  denied  { siginh } for  pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:34:50 lain kernel: [ 4269.707080] type=1400 audit(1353155690.932:1075): avc:  denied  { noatsecure } for  pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:34:51 lain kernel: [ 4269.807641] type=1400 audit(1353155691.033:1076): avc:  denied  { search } for  pid=31768 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:34:51 lain kernel: [ 4269.807705] type=1400 audit(1353155691.033:1077): avc:  denied  { create } for  pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:34:51 lain kernel: [ 4269.807731] type=1400 audit(1353155691.033:1078): avc:  denied  { write } for  pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:34:51 lain kernel: [ 4269.807752] type=1400 audit(1353155691.033:1079): avc:  denied  { read } for  pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:34:51 lain kernel: [ 4269.812523] type=1400 audit(1353155691.038:1080): avc:  denied  { read } for  pid=31768 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file
Nov 17 13:34:51 lain kernel: [ 4269.812534] type=1400 audit(1353155691.038:1081): avc:  denied  { open } for  pid=31768 comm="tcpdump" path="/proc/31768/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file


After allowing:
Nov 17 13:34:38 lain kernel: [ 4257.442280] type=1400 audit(1353155678.643:1071): avc:  denied  { create } for  pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket

# tcpdump     
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied

Enforcing:
Nov 17 13:41:25 lain kernel: [ 4663.437448] type=1400 audit(1353156085.445:1149): avc:  denied  { rlimitinh } for  pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:41:25 lain kernel: [ 4663.437460] type=1400 audit(1353156085.445:1150): avc:  denied  { siginh } for  pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:41:25 lain kernel: [ 4663.437480] type=1400 audit(1353156085.445:1151): avc:  denied  { noatsecure } for  pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:41:25 lain kernel: [ 4663.513384] type=1400 audit(1353156085.521:1152): avc:  denied  { search } for  pid=23003 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:41:25 lain kernel: [ 4663.513442] type=1400 audit(1353156085.521:1153): avc:  denied  { search } for  pid=23003 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:41:25 lain kernel: [ 4663.513504] type=1400 audit(1353156085.521:1154): avc:  denied  { write } for  pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:41:25 lain kernel: [ 4663.518243] type=1400 audit(1353156085.526:1155): avc:  denied  { read } for  pid=23003 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file
Nov 17 13:41:25 lain kernel: [ 4663.539314] type=1400 audit(1353156085.547:1156): avc:  denied  { dac_override } for  pid=23003 comm="tcpdump" capability=1  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability
Nov 17 13:41:25 lain kernel: [ 4663.539333] type=1400 audit(1353156085.547:1157): avc:  denied  { dac_read_search } for  pid=23003 comm="tcpdump" capability=2  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability
Nov 17 13:41:25 lain kernel: [ 4663.539348] type=1400 audit(1353156085.547:1158): avc:  denied  { dac_override } for  pid=23003 comm="tcpdump" capability=1  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability

Permissive: 
Nov 17 13:41:36 lain kernel: [ 4674.308673] type=1400 audit(1353156096.338:1160): avc:  denied  { rlimitinh } for  pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:41:36 lain kernel: [ 4674.308688] type=1400 audit(1353156096.338:1161): avc:  denied  { siginh } for  pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:41:36 lain kernel: [ 4674.308715] type=1400 audit(1353156096.338:1162): avc:  denied  { noatsecure } for  pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:41:36 lain kernel: [ 4674.409602] type=1400 audit(1353156096.439:1163): avc:  denied  { search } for  pid=23423 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:41:36 lain kernel: [ 4674.409725] type=1400 audit(1353156096.439:1164): avc:  denied  { write } for  pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:41:36 lain kernel: [ 4674.409754] type=1400 audit(1353156096.439:1165): avc:  denied  { read } for  pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:41:36 lain kernel: [ 4674.420483] type=1400 audit(1353156096.450:1166): avc:  denied  { read } for  pid=23423 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file
Nov 17 13:41:36 lain kernel: [ 4674.420501] type=1400 audit(1353156096.450:1167): avc:  denied  { open } for  pid=23423 comm="tcpdump" path="/proc/23423/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file
Nov 17 13:41:36 lain kernel: [ 4674.420529] type=1400 audit(1353156096.450:1168): avc:  denied  { getattr } for  pid=23423 comm="tcpdump" path="/proc/23423/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file

ls -lZ /var/lib | grep tcpdump
drwx------. 2 tcpdump tcpdump system_u:object_r:var_lib_t                4096 Oct 23 21:43 tcpdump

After allowing:
Nov 17 13:52:07 lain kernel: [ 5304.192160] type=1400 audit(1353156727.473:1208): avc:  denied  { dac_override } for  pid=1887 comm="tcpdump" capability=1  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability

Enforcing:
Nov 17 13:57:28 lain kernel: [ 5624.452306] type=1400 audit(1353157048.369:1285): avc:  denied  { rlimitinh } for  pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:57:28 lain kernel: [ 5624.452325] type=1400 audit(1353157048.369:1286): avc:  denied  { siginh } for  pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:57:28 lain kernel: [ 5624.452384] type=1400 audit(1353157048.369:1287): avc:  denied  { noatsecure } for  pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:57:28 lain kernel: [ 5624.555520] type=1400 audit(1353157048.473:1288): avc:  denied  { search } for  pid=5065 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:57:28 lain kernel: [ 5624.555577] type=1400 audit(1353157048.473:1289): avc:  denied  { search } for  pid=5065 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:57:28 lain kernel: [ 5624.555641] type=1400 audit(1353157048.473:1290): avc:  denied  { write } for  pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:57:28 lain kernel: [ 5624.564447] type=1400 audit(1353157048.482:1291): avc:  denied  { read } for  pid=5065 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file
Nov 17 13:57:28 lain kernel: [ 5624.582484] type=1400 audit(1353157048.500:1292): avc:  denied  { sys_chroot } for  pid=5065 comm="tcpdump" capability=18  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability

Permissive:
Nov 17 13:57:39 lain kernel: [ 5636.001459] type=1400 audit(1353157059.941:1294): avc:  denied  { rlimitinh } for  pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:57:39 lain kernel: [ 5636.001473] type=1400 audit(1353157059.941:1295): avc:  denied  { siginh } for  pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:57:39 lain kernel: [ 5636.001535] type=1400 audit(1353157059.942:1296): avc:  denied  { noatsecure } for  pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process
Nov 17 13:57:40 lain kernel: [ 5636.122460] type=1400 audit(1353157060.063:1297): avc:  denied  { search } for  pid=5126 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir
Nov 17 13:57:40 lain kernel: [ 5636.122575] type=1400 audit(1353157060.063:1298): avc:  denied  { write } for  pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:57:40 lain kernel: [ 5636.122604] type=1400 audit(1353157060.063:1299): avc:  denied  { read } for  pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:57:40 lain kernel: [ 5636.138339] type=1400 audit(1353157060.079:1300): avc:  denied  { read } for  pid=5126 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file
Nov 17 13:57:40 lain kernel: [ 5636.138356] type=1400 audit(1353157060.079:1301): avc:  denied  { open } for  pid=5126 comm="tcpdump" path="/proc/5126/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file
Nov 17 13:57:40 lain kernel: [ 5636.138379] type=1400 audit(1353157060.079:1302): avc:  denied  { getattr } for  pid=5126 comm="tcpdump" path="/proc/5126/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file

Finally after allowing this one it seems to work:
Nov 17 13:53:14 lain kernel: [ 5371.286855] type=1400 audit(1353156794.701:1230): avc:  denied  { sys_chroot } for  pid=2308 comm="tcpdump" capability=18  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability

All of stuff I allowed:
Nov 17 13:34:38 lain kernel: [ 4257.442280] type=1400 audit(1353155678.643:1071): avc:  denied  { create } for  pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket
Nov 17 13:52:07 lain kernel: [ 5304.192160] type=1400 audit(1353156727.473:1208): avc:  denied  { dac_override } for  pid=1887 comm="tcpdump" capability=1  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability
Nov 17 13:53:14 lain kernel: [ 5371.286855] type=1400 audit(1353156794.701:1230): avc:  denied  { sys_chroot } for  pid=2308 comm="tcpdump" capability=18  scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-17 20:12:16 UTC 
Seems to work with dac_read_search as well (without dac_override). dac_override is more global than dac_read_search, and it requires the search privs only afaik.

dac_override is checked first, then dac_read_search, so I guess we can even dontaudit the dac_override requests.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-17 20:18:48 UTC 
Okay, is in (live ebuilds ok, will be in rev 8)
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-23 21:40:04 UTC 
r8 in hardened-dev overlay
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 09:35:55 UTC 
r8 is now in main tree, ~arch
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:13:16 UTC 
r8 is now stable