Bug 586284

Summary: SELinux is preventing /usr/sbin/NetworkManager "unlink" access on hosts.
Product: [Fedora] Fedora Reporter: Davide Rossetti <davide.rossetti>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: adrigiga, bugzilla, christian.groove, coolmilo65, dan, dwalsh, idht4n, inboxacct2, jlaska, mgrepl, msdeleonpeque, pavel.ondracka, regulatre, sarrab1976, seva, seventhguardian, uahello, v.plessky, wswilburn
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e25d52565b3f42a728bed591c653f2fde46c981762ed9ec3db7af9d793e442ca
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-27 09:54:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log (uploaded to another PC via FTP) none

Description Davide Rossetti 2010-04-27 08:49:33 UTC 
Summary:

SELinux is preventing /usr/sbin/NetworkManager "unlink" access on hosts.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                hosts [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-0.8.0-6.git20100408.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-110.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux geppetto.ape 2.6.32.11-99.fc12.x86_64 #1 SMP
                              Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 27 Apr 2010 10:44:25 AM CEST
Last Seen                     Tue 27 Apr 2010 10:44:25 AM CEST
Local ID                      9f8a9b4d-efdb-4179-898c-f9f89b50e67f
Line Numbers                  

Raw Audit Messages            

node=geppetto.ape type=AVC msg=audit(1272357865.901:8): avc:  denied  { unlink } for  pid=1634 comm="NetworkManager" name="hosts" dev=dm-0 ino=628 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=geppetto.ape type=SYSCALL msg=audit(1272357865.901:8): arch=c000003e syscall=82 success=yes exit=0 a0=1fb1300 a1=47dd2b a2=1fae8d0 a3=7fffa2cf94c0 items=0 ppid=1 pid=1634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Hash String generated from  catchall,NetworkManager,NetworkManager_t,etc_t,file,unlink
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t etc_t:file unlink;
Comment 1 Miroslav Grepl 2010-04-27 09:54:33 UTC 
Somehow "/etc/hosts" got the wrong label on it. Execute:

restorecon -v /etc/hosts

Should fix. Please reopen if this happens again.
Comment 2 v.plessky 2010-10-02 23:14:58 UTC 
This bug should be re-opened.

I just loaded Fedora 14 Beta - and Ethernet conection doesn't work (disaled)
I tried to re-enable it in NetworkManager - and received message similar to above.
Connectin (wired) remains disabled.
Comment 3 v.plessky 2010-10-02 23:21:56 UTC 
execution of
#restorecon -v /etc/hosts
doesn't bring Ethernet (wired) connection alive.


[liveuser@localhost ~]$ ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:720 (720.0 b)  TX bytes:720 (720.0 b)

wlan0     Link encap:Ethernet  HWaddr 00:13:D3:84:FE:9D  
          inet addr:192.168.1.51  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:d3ff:fe84:fe9d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2455 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1920 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2706074 (2.5 MiB)  TX bytes:239273 (233.6 KiB)

[liveuser@localhost ~]$ lspci
00:00.0 Host bridge: ATI Technologies Inc RS480 Host Bridge (rev 10)
00:01.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:06.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:07.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:12.0 IDE interface: ATI Technologies Inc IXP SB400 Serial ATA Controller (rev 80)
00:13.0 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.1 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.2 USB Controller: ATI Technologies Inc IXP SB400 USB2 Host Controller (rev 80)
00:14.0 SMBus: ATI Technologies Inc IXP SB400 SMBus Controller (rev 83)
00:14.1 IDE interface: ATI Technologies Inc IXP SB400 IDE Controller (rev 80)
00:14.2 Audio device: ATI Technologies Inc IXP SB4x0 High Definition Audio Controller (rev 01)
00:14.3 ISA bridge: ATI Technologies Inc IXP SB400 PCI-ISA Bridge (rev 80)
00:14.4 PCI bridge: ATI Technologies Inc IXP SB400 PCI-PCI Bridge (rev 80)
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:05.0 VGA compatible controller: ATI Technologies Inc RS482 [Radeon Xpress 200M]
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)
05:04.0 FireWire (IEEE 1394): O2 Micro, Inc. Firewire (IEEE 1394) (rev 02)
05:04.2 SD Host controller: O2 Micro, Inc. Integrated MMC/SD Controller (rev 01)
05:04.3 Mass storage controller: O2 Micro, Inc. Integrated MS/xD Controller (rev 01)
05:09.0 Network controller: RaLink RT2500 802.11g (rev 01)
[liveuser@localhost ~]$ lspci
00:00.0 Host bridge: ATI Technologies Inc RS480 Host Bridge (rev 10)
00:01.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:06.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:07.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:12.0 IDE interface: ATI Technologies Inc IXP SB400 Serial ATA Controller (rev 80)
00:13.0 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.1 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.2 USB Controller: ATI Technologies Inc IXP SB400 USB2 Host Controller (rev 80)
00:14.0 SMBus: ATI Technologies Inc IXP SB400 SMBus Controller (rev 83)
00:14.1 IDE interface: ATI Technologies Inc IXP SB400 IDE Controller (rev 80)
00:14.2 Audio device: ATI Technologies Inc IXP SB4x0 High Definition Audio Controller (rev 01)
00:14.3 ISA bridge: ATI Technologies Inc IXP SB400 PCI-ISA Bridge (rev 80)
00:14.4 PCI bridge: ATI Technologies Inc IXP SB400 PCI-PCI Bridge (rev 80)
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:05.0 VGA compatible controller: ATI Technologies Inc RS482 [Radeon Xpress 200M]
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)
05:04.0 FireWire (IEEE 1394): O2 Micro, Inc. Firewire (IEEE 1394) (rev 02)
05:04.2 SD Host controller: O2 Micro, Inc. Integrated MMC/SD Controller (rev 01)
05:04.3 Mass storage controller: O2 Micro, Inc. Integrated MS/xD Controller (rev 01)
05:09.0 Network controller: RaLink RT2500 802.11g (rev 01)

[liveuser@localhost ~]$ nm-tool

NetworkManager Tool

State: connected

- Device: eth0 -----------------------------------------------------------------
  Type:              Wired
  Driver:            r8169
  State:             unavailable
  Default:           no
  HW Address:        00:16:17:51:9A:1D

  Capabilities:
    Carrier Detect:  yes
    Speed:           100 Mb/s

  Wired Properties
    Carrier:         off


- Device: wlan0  [Auto dd-wrt] -------------------------------------------------
  Type:              802.11 WiFi
  Driver:            rt2500pci
  State:             connected
  Default:           yes
  HW Address:        00:13:D3:84:FE:9D

  Capabilities:
    Speed:           18 Mb/s

  Wireless Properties
    WEP Encryption:  yes
    WPA Encryption:  yes
    WPA2 Encryption: yes

  Wireless Access Points (* = current AP)
    *dd-wrt:         Infra, 00:1B:FC:91:83:4C, Freq 2412 MHz, Rate 54 Mb/s, Strength 100 WPA2
    dlink:           Infra, 00:26:5A:32:B7:39, Freq 2437 MHz, Rate 54 Mb/s, Strength 54 WPA
    pantherx:        Infra, 00:1C:C5:D8:34:8C, Freq 2462 MHz, Rate 54 Mb/s, Strength 44 WEP

  IPv4 Settings:
    Address:         192.168.1.51
    Prefix:          24 (255.255.255.0)
    Gateway:         192.168.1.2

    DNS:             192.168.1.2

-----------------

As you see, there is an Ethernet adapter, but connection is not available
On the other hand - Wi-Fi cnection is working.
Comment 4 Daniel Walsh 2010-10-03 10:37:27 UTC 
Are you seeing AVC messages within /var/log/audit/audit.log or /var/log/messages?
Comment 5 v.plessky 2010-10-03 16:38:05 UTC 
good question.
gedit crashes when I attempt to open audit.log

[root@localhost liveuser]# cd /var/log/audit
[root@localhost audit]# gedit audit.log

** (gedit:3119): WARNING **: AT-SPI: Accessibility bus not found - Using session bus.


** (gedit:3119): WARNING **: AT-SPI: Couldn't connect to bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.


(gedit:3119): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported

**
GLib-GIO:ERROR:gdbusconnection.c:2170:initable_init: assertion failed: (connection->initialization_error == NULL)
Aborted (core dumped)
Comment 6 v.plessky 2010-10-03 16:57:51 UTC 
Created attachment 451292 [details]
/var/log/audit/audit.log  (uploaded to another PC via FTP)


I may to add that today I see wired Ethernet connection in NetworkManager.
Besides, I can disable it and re-enable (Auto eth0)

What I did different comparing to yesterday?
I booted this computer to Windows (XP) in the morning, and later booted to Fedora 14 Beta from Live USB stick.

It seems current version of Fedora 14 (Beta) doesn't initialize correctly wired interface on boot (in some cases).
Comment 7 Daniel Walsh 2010-10-04 16:35:31 UTC 
No AVC's in the log file.  So I don't think SELinux is blocking it.
Comment 8 Seva 2010-10-07 21:39:49 UTC 
Trying to open a ticket, it took me here as a duplicate, not sure if it's related but...

Summary:

SELinux is preventing /usr/sbin/NetworkManager "unlink" access on
/etc/NetworkManager/NetworkManager.conf.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc/NetworkManager/NetworkManager.conf [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           NetworkManager-0.8.1-6.git20100831.fc14
Target RPM Packages           NetworkManager-0.8.1-6.git20100831.fc14
Policy RPM                    selinux-policy-3.9.5-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54
                              UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 07 Oct 2010 03:30:09 PM CDT
Last Seen                     Thu 07 Oct 2010 03:30:09 PM CDT
Local ID                      482350b7-3b53-43e5-b813-fb960015e075
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1286483409.456:62480): avc:  denied  { unlink } for  pid=6264 comm="NetworkManager" name="NetworkManager.conf" dev=dm-0 ino=53046 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1286483409.456:62480): arch=c000003e syscall=82 success=no exit=-13 a0=966810 a1=950f90 a2=961ea0 a3=1 items=0 ppid=1 pid=6264 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Comment 9 Daniel Walsh 2010-10-08 12:56:39 UTC 
I opened a bug on NetworkManager.

https://bugzilla.redhat.com/show_bug.cgi?id=641331