Bug 1480910
| Summary: | SELinux is preventing dhclient from 'map' accesses on the file /var/lib/NetworkManager/dhclient-ens3.conf. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joachim Frieben <jfrieben> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | awilliam, dominick.grift, dwalsh, lsm5, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:d8ece69370e36d241f57baa27d9c2c79b09cee36b2189f2ea48adf8ff2971ac4;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-271.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-20 14:17:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1481454 | ||
Description of problem:
Happened in normal system use after the 'map' permission was added. There will likely be dupes of this with different file names, as the file is named for the network interface ('br1' in this case).
Version-Release number of selected component:
selinux-policy-3.13.1-270.fc27.noarch
Additional info:
reporter: libreport-2.9.1
hashmarkername: setroubleshoot
kernel: 4.13.0-0.rc4.git4.1.fc27.x86_64
type: libreport
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. commit 7eef67f6b89825ef29042aff8c432751153b685f (HEAD -> rawhide)
Author: Stephen Smalley <sds.gov>
Date: Wed May 24 15:41:22 2017 -0400
contrib: allow map permission where needed
Allow map permission where needed, based on limited testing.
Introduced in the kernel in commit 6941857e82ae ("selinux: add a map
permission check for mmap"). Depends on "refpolicy: Define and
allow map permission" to define the permission.
Signed-off-by: Stephen Smalley <sds.gov>
Fixes issue. Moving to post.
|
Description of problem: SELinux is preventing dhclient from 'map' accesses on the file /var/lib/NetworkManager/dhclient-ens3.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dhclient should be allowed map access on the dhclient-ens3.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dhclient' --raw | audit2allow -M my-dhclient # semodule -X 300 -i my-dhclient.pp Additional Information: Source Context system_u:system_r:dhcpc_t:s0 Target Context system_u:object_r:NetworkManager_var_lib_t:s0 Target Objects /var/lib/NetworkManager/dhclient-ens3.conf [ file ] Source dhclient Source Path dhclient Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-270.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.13.0-0.rc4.git4.1.fc27.x86_64 #1 SMP Fri Aug 11 15:03:46 UTC 2017 x86_64 x86_64 Alert Count 2 First Seen 2017-08-12 22:44:46 CEST Last Seen 2017-08-12 22:46:58 CEST Local ID 90467ac9-2a0d-4415-8b0b-b5b6035d17de Raw Audit Messages type=AVC msg=audit(1502570818.957:403): avc: denied { map } for pid=2513 comm="dhclient" path="/var/lib/NetworkManager/dhclient-ens3.conf" dev="dm-0" ino=269730 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:NetworkManager_var_lib_t:s0 tclass=file permissive=1 Hash: dhclient,dhcpc_t,NetworkManager_var_lib_t,file,map Version-Release number of selected component: selinux-policy-3.13.1-270.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.13.0-0.rc4.git4.1.fc27.x86_64 type: libreport