SElinux is preventing /usr/bin/ping from read access on file file.

Support for security such as Firewalls and securing linux
Post Reply
AndySZA
Posts: 4
Joined: 2019/11/05 10:33:03

SElinux is preventing /usr/bin/ping from read access on file file.

Post by AndySZA » 2020/01/17 17:53:31

Anyone else have this problem after upgrading to CentOS 8.1?
platform-python was upgraded in the last update.
The alerts I am getting are:

Jan 17 19:49:52 firewall8 setroubleshoot[32067]: SELinux is preventing /usr/bin/ping from read access on the file file. For complete SELinux messages run: sealert -l 59e28f6f-ee19-43b2-ba6b-9e65d6248b89
Jan 17 19:49:52 firewall8 platform-python[32067]: SELinux is preventing /usr/bin/ping from read access on the file file.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ping should be allowed read access on the file file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ping' --raw | audit2allow -M my-ping#012# semodule -X 300 -i my-ping.pp#012

My sealert info is:

SELinux is preventing /usr/bin/ping from read access on the file file.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that ping should be allowed read access on the file file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ping' --raw | audit2allow -M my-ping
# semodule -X 300 -i my-ping.pp


Additional Information:
Source Context system_u:system_r:ping_t:s0
Target Context system_u:system_r:initrc_t:s0
Target Objects file [ file ]
Source ping
Source Path /usr/bin/ping
Port <Unknown>
Host firewall8.internal
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name firewall8.internal
Platform Linux firewall8.internal
4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24
11:32:19 UTC 2019 x86_64 x86_64
Alert Count 18528
First Seen 2020-01-16 18:06:33 SAST
Last Seen 2020-01-17 19:49:42 SAST
Local ID 59e28f6f-ee19-43b2-ba6b-9e65d6248b89

Raw Audit Messages
type=AVC msg=audit(1579283382.154:20603): avc: denied { read } for pid=28176 comm="ping" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file permissive=0


Hash: ping,ping_t,initrc_t,file,read

Regards,
Andy

User avatar
TrevorH
Forum Moderator
Posts: 28511
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SElinux is preventing /usr/bin/ping from read access on file file.

Post by TrevorH » 2020/01/17 18:37:51

4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24
That's still the 8.0 kernel not the new 8.1 one. Did you reboot after the update?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

AndySZA
Posts: 4
Joined: 2019/11/05 10:33:03

Re: SElinux is preventing /usr/bin/ping from read access on file file.

Post by AndySZA » 2020/01/18 20:59:35

Must have grabbed an alert from before the reboot.
Same is still happening after the reboot.

Platform Linux firewall8.internal
4.18.0-147.3.1.el8_1.x86_64 #1 SMP Fri Jan 3
23:55:26 UTC 2020 x86_64 x86_64

hunter86_bg
Posts: 2015
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SElinux is preventing /usr/bin/ping from read access on file file.

Post by hunter86_bg » 2020/01/18 23:12:29

Try to do a full relabel (which might take a lot of time -depends on the numver of files on the system) via:

Code: Select all

touch /.autorelabel && reboot 

aks
Posts: 2992
Joined: 2014/09/20 11:22:14

Re: SElinux is preventing /usr/bin/ping from read access on file file.

Post by aks » 2020/01/20 17:53:51

Agreed (re: the mis-labelling).
Seemingly initrc type is the target for the ping.

If a re-label doesn't work, please post the output from:
ausearch -c 'ping' --raw | audit2allow -m my-ping
This will give a type enforcement rule, in text that could be read to help determine what's going on, it should not make changes to your system.
Also some context, around what you're trying to do and why.

AndySZA
Posts: 4
Joined: 2019/11/05 10:33:03

Re: SElinux is preventing /usr/bin/ping from read access on file file.

Post by AndySZA » 2020/01/22 09:52:23

The re-label did not seem to solve the problem.
The context is a straight upgrade (dnf check-update then dnf upgrade) from the initial 8.0 (1905) to 8.1 (1911).
The purpose of this was a) to keep up to date and b) to install frr as the new routing damon which only became available in 1911.
This is a firewall/router/mail router/vpn server/vpn site-to-site gateway, running dual stack.

Other services include nftables, httpd, bind, dhcp, squid, openvpn, mutt, postfix, webmin, dovecot, NetworkManager-ppp, iptraf-ng

my-ping.pp:
��|���|�SE Linux Modulmy-ping1.0@filereaobject_r@@@@initrc_t@ping_t@@@@@@@@@@@@@@@@@@@@@@@@@@filobject_initrc_tping_t

myping.te:
module my-ping 1.0;

require {
type ping_t;
type initrc_t;
class file read;
}

#============= ping_t ==============
allow ping_t initrc_t:file read;

A straight install of 1911 with purely mongodb and mysql on it does not exhibit the same issue.

aks
Posts: 2992
Joined: 2014/09/20 11:22:14

Re: SElinux is preventing /usr/bin/ping from read access on file file.

Post by aks » 2020/01/23 19:31:23

The re-label did not seem to solve the problem.
Well then it's disallowed (unless something went wrong with the relabel).

Seemingly the ping type wishes to read the file of type initrc - so you're running updates at boot? Sounds like a bad idea.

Anyway, you could install said te (although not the one you've posted - you've got encoding errors - possibly copied and pasted using Windows?)

So SE is stopping you, there may be other problems further down the stack that are not yet prevalent.

If I where you, I'm set se to permissive mode (persistently) and boot up. If it works, then only se is stopping you (in wish case you could install the te), if it doesn't then other things are at play here.

Post Reply

Return to “CentOS 8 - Security Support”