| Summary: | SELinux is preventing /usr/libexec/nm-dhcp-helper from 'connectto' accesses on the unix_stream_socket /run/NetworkManager/private-dhcp. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Laurent Wandrebeck <l.wandrebeck> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:6aa0ddbe5a4f66621e38ab81dccc3072c817adfe6b95e5531bb1708e90aa45fc | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-05 18:41:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Looks like the latest batch of updates fixed the problem. Sorry for the noise. |
Description of problem: launched Networkmanager by hand as there was something buggy about network management in F20 alpha, updates-testing enabled. « Les services réseau du système ne sont pas compatibles avec cette version. » in french, gnome paramaters, network. Should be something like « Network services are not compatible with this version. » Once NM launched (and properly gavec me network access, wifi and eth were both non functionnal before that), I got this SELinux alert. SELinux is preventing /usr/libexec/nm-dhcp-helper from 'connectto' accesses on the unix_stream_socket /run/NetworkManager/private-dhcp. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que nm-dhcp-helper devrait être autorisé à accéder connectto sur private-dhcp unix_stream_socket par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep nm-dhcp-helper /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 Target Objects /run/NetworkManager/private-dhcp [ unix_stream_socket ] Source nm-dhcp-helper Source Path /usr/libexec/nm-dhcp-helper Port <Inconnu> Host (removed) Source RPM Packages NetworkManager-0.9.9.0-13.git20131001.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-84.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.2-301.fc20.i686 #1 SMP Fri Sep 27 20:09:07 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-10-05 08:57:27 CEST Last Seen 2013-10-05 08:57:27 CEST Local ID e67d6d42-4907-4ee8-a7ec-df467c7885d5 Raw Audit Messages type=AVC msg=audit(1380956247.418:496): avc: denied { connectto } for pid=2617 comm="nm-dhcp-helper" path="/run/NetworkManager/private-dhcp" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1380956247.418:496): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bfd4e1b0 a2=b7732000 a3=bfd4e1de items=0 ppid=2615 pid=2617 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=nm-dhcp-helper exe=/usr/libexec/nm-dhcp-helper subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) Hash: nm-dhcp-helper,dhcpc_t,unconfined_t,unix_stream_socket,connectto Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.11.2-301.fc20.i686 type: libreport