Attachment 155866 Details for Bug 242015 – detailed explaination from the setroubleshoot browser

detailed explaination from the setroubleshoot browser

selinux_alert.txt (text/plain), 5.43 KB, created by Dennis Ortsen on 2007-06-01 09:51:41 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dennis Ortsen

Created: 2007-06-01 09:51:41 UTC

Size: 5.43 KB

patch

obsolete

>Summary
>    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "write" to
>    eth1 (var_run_t).
>
>Detailed Description
>    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "write" to
>    eth1 (var_run_t). The SELinux type %TARGET_TYPE, is a generic type for all
>    files in the directory and very few processes (SELinux Domains) are allowed
>    to write to this SELinux type.  This type of denial usual indicates a
>    mislabeled file.  By default a file created in a directory has the gets the
>    context of the parent directory, but SELinux policy has rules about the
>    creation of directories, that say if a process running in one SELinux Domain
>    (D1) creates a file in a directory with a particular SELinux File Context
>    (F1) the file gets a different File Context (F2).  The policy usually allows
>    the SELinux Domain (D1) the ability to write or append on (F2).  But if for
>    some reason a file (eth1) was created with the wrong context, this domain
>    will be denied.  The usual solution to this problem is to reset the file
>    context on the target file, restorecon -v eth1.  If the file context does
>    not change from var_run_t, then this is probably a bug in policy.  Please
>    file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the
>    selinux-policy package. If it does change, you can try your application
>    again to see if it works.  The file context could have been mislabeled by
>    editing the file or moving the file from a different directory, if the file
>    keeps getting mislabeled, check the init scripts to see if they are doing
>    something to mislabel the file.
>
>Allowing Access
>    You can attempt to fix file context by executing restorecon -v eth1
>
>    The following command will allow this access:
>    restorecon eth1
>
>Additional Information        
>
>Source Context                user_u:system_r:NetworkManager_t
>Target Context                user_u:object_r:var_run_t
>Target Objects                eth1 [ sock_file ]
>Affected RPM Packages         wpa_supplicant-0.5.7-2.fc7 [application]
>Policy RPM                    selinux-policy-2.6.4-8.fc7
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   plugins.mislabeled_file
>Host Name                     x1.han.nl
>Platform                      Linux x1.han.nl 2.6.21-1.3194.fc7 #1 SMP Wed May
>                              23 22:35:01 EDT 2007 i686 i686
>Alert Count                   1
>First Seen                    Fri 01 Jun 2007 11:23:26 AM CEST
>Last Seen                     Fri 01 Jun 2007 11:38:35 AM CEST
>Local ID                      d452c37c-a9c1-432a-a022-b8307a694367
>Line Numbers                  
>
>Raw Audit Messages            
>
>avc: denied { write } for comm="wpa_supplicant" dev=dm-4 egid=0 euid=0
>exe="/usr/sbin/wpa_supplicant" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
>name="eth1" pid=7707 scontext=user_u:system_r:NetworkManager_t:s0 sgid=0
>subj=user_u:system_r:NetworkManager_t:s0 suid=0 tclass=sock_file
>tcontext=user_u:object_r:var_run_t:s0 tty=(none) uid=0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>Summary
>    SELinux is preventing /usr/sbin/NetworkManager (NetworkManager_t) "unlink"
>    to eth1 (var_run_t).
>
>Detailed Description
>    SELinux denied access requested by /usr/sbin/NetworkManager. It is not
>    expected that this access is required by /usr/sbin/NetworkManager and this
>    access may signal an intrusion attempt. It is also possible that the
>    specific version or configuration of the application is causing it to
>    require additional access.
>
>Allowing Access
>    Sometimes labeling problems can cause SELinux denials.  You could try to
>    restore the default system file context for eth1, restorecon -v eth1 If this
>    does not work, there is currently no automatic way to allow this access.
>    Instead,  you can generate a local policy module to allow this access - see
>    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
>    SELinux protection altogether. Disabling SELinux protection is not
>    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>    against this package.
>
>Additional Information        
>
>Source Context                user_u:system_r:NetworkManager_t
>Target Context                user_u:object_r:var_run_t
>Target Objects                eth1 [ sock_file ]
>Affected RPM Packages         NetworkManager-0.6.5-2.fc7 [application]
>Policy RPM                    selinux-policy-2.6.4-8.fc7
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   plugins.catchall_file
>Host Name                     x1.han.nl
>Platform                      Linux x1.han.nl 2.6.21-1.3194.fc7 #1 SMP Wed May
>                              23 22:35:01 EDT 2007 i686 i686
>Alert Count                   10
>First Seen                    Fri 01 Jun 2007 11:23:25 AM CEST
>Last Seen                     Fri 01 Jun 2007 11:38:38 AM CEST
>Local ID                      f3f89a41-ae0d-4da0-82d1-c7a3dc297a7e
>Line Numbers                  
>
>Raw Audit Messages            
>
>avc: denied { unlink } for comm="NetworkManager" dev=dm-4 egid=0 euid=0
>exe="/usr/sbin/NetworkManager" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
>name="eth1" pid=4460 scontext=user_u:system_r:NetworkManager_t:s0 sgid=0
>subj=user_u:system_r:NetworkManager_t:s0 suid=0 tclass=sock_file
>tcontext=user_u:object_r:var_run_t:s0 tty=(none) uid=0
>
>
>
>
>

Actions: View

Attachments on bug 242015: 155866