Bug 239824

Summary: Selinux Denies NetworkManager-vpnc (--no-daemon mode)
Product: [Fedora] Fedora Reporter: Warren Togami <wtogami>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: davej, dcbw, dwalsh, tmraz, wtogami
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-24 14:31:25 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 235704    

Description Warren Togami 2007-05-11 11:48:32 EDT
kernel-2.6.21-1.3145.fc7.x86_64
vpnc-0.4.0-2.fc7
NetworkManager-0.6.5-2.fc7

I upgraded only kernel-2.6.21-1.3145.fc7 and suddenly vpnc stops working.  

type=USER_AVC msg=audit(1178897966.675:43): user pid=2461 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.NetworkManager.vpnc
member=signalIP4Config dest=org.freedesktop.NetworkManager.vpnc spid=6396
tpid=6056 scontext=user_u:system_r:vpnc_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=dbus : exe="/bin/dbus-daemon"
(sauid=81, hostname=?, addr=?, terminal=?)'

setenforce 0 allows vpnc to work again.
Comment 1 Tomas Mraz 2007-05-11 12:16:23 EDT
This needs adjustments in selinux policy.
Comment 2 Will Woods 2007-05-11 17:58:11 EDT
Can't reproduce this on i386 (kernel 3149, policy 2.6.1-1.fc7) - might be
x86_64-only?
Comment 3 Daniel Walsh 2007-05-14 13:49:35 EDT
Why is /bin/dbus-daemon running as unconfined_t?

Did you start this by hand?  
Comment 4 Warren Togami 2007-05-14 13:58:58 EDT
Yes, I realized what happened.

I was running NetworkManager --no-daemon by hand as is customary when you are
trying to debug NetworkManager's behavior.

I would expect that NetworkManager should behave identically when run in this
manner.  Is it possible or reasonable to modify the policy to allow this?
Comment 5 Daniel Walsh 2007-05-14 14:09:01 EDT
I can make that change.  By default I don't though because it will also cause
problems the other way.  We have turned off most transitions from unconfined_t
and only on from initrc_t.  People testing code do things like httpd >> ~/mylog
which is denied by SELinux since apache is not allowed to write to the homedir.
 So we have a fine line of when to transition.

But if you want the transition I will add it.
Comment 6 Will Woods 2007-05-15 15:24:15 EDT
Sounds like a bit of a security risk to make that change. So if running stuff by
hand causes these problems, what's the recommended way to test NetworkManager
without causing these problems? 

Maybe a SELinux boolean for allowing this transition would help?
Comment 7 Warren Togami 2007-05-15 17:03:28 EDT
I'm afraid if we don't allow this by default, it is effectively the same a
difficult to find hidden boolean.

What is a concrete example where allowing this would allow a compromise to happen?
Comment 8 Daniel Walsh 2007-05-15 21:03:11 EDT
I have no problem making the change for NetworkManager.  But this is more of a
problem for apps that are commonly run by the user and we don't want to confine
when run by the user.  The problem from an qa point of view, the administrator
can force the transition in permissive mode and using runcon.  You can also
attach gdb to the running process.
Comment 9 Warren Togami 2007-05-16 00:39:39 EDT
NetworkManager is only runnable by root.  Is this really a danger?

It is very non-obvious that NetworkManager --no-daemon would require a forced
transition to permissive or boolean in order to work, especially because it
fails only in a hidden non-default codepath.
Comment 10 Daniel Walsh 2007-05-17 11:46:26 EDT
Fixed in selinux-policy-2.6.4-4.fc7
Comment 11 Warren Togami 2007-10-05 00:23:05 EDT
NetworkManager-0.7.0-0.3.svn2914.fc8
NetworkManager-vpnc-0.7.0-0.2.svn2914.fc8
selinux-policy-3.0.8-17.fc8

This bug is back in rawhide, probably due to the re-architecting of NetworkManager.

/var/log/audit/audit.log:
type=USER_AVC msg=audit(1191557195.027:26): user pid=4258 uid=81 auid=500
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.NetworkManager.VPN.Plugin
member=SetIp4Config dest=org.freedesktop.NetworkManager.vpnc spid=4508 tpid=4474
scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:unconfined_t:s0
tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

NetworkManager debug message:
** (process:4574): WARNING **: <WARN>  send_ip4_config(): Could not send failure
information: An SELinux policy prevents this sender from sending this message to
this recipient (rejected message had interface
"org.freedesktop.NetworkManager.VPN.Plugin" member "SetIp4Config" error name
"(unset)" destination "org.freedesktop.NetworkManager.vpnc")



module vpncmanual 1.0;

require {
        type vpnc_t;
        type unconfined_t;
        class dbus send_msg;
}

#============= vpnc_t ==============
allow vpnc_t unconfined_t:dbus send_msg;

This .te file allows it to work for me.  Is this correct?

What happened to the previous solution?
Comment 12 Warren Togami 2007-10-05 00:36:32 EDT
Another AVC...

type=USER_AVC msg=audit(1191558535.881:38): user pid=4258 uid=81 auid=500
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=signal interface=org.freedesktop.NetworkManager.VPN.Plugin
member=Ip4Config dest=org.freedesktop.DBus spid=4984 tpid=5301
scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:vpnc_t:s0
tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1191558535.881:39): user pid=4258 uid=81 auid=500
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=signal interface=org.freedesktop.NetworkManager.VPN.Plugin
member=StateChanged dest=org.freedesktop.DBus spid=4984 tpid=5301
scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:vpnc_t:s0
tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

NetworkManager debug message:
** (process:5301): WARNING **: <WARN>  send_ip4_config(): Could not send failure
information: Did not receive a reply. Possible causes include: the remote
application did not send a reply, the message bus security policy blocked the
reply, the reply timeout expired, or the network connection was broken.

module vpncmanual2 1.0;

require {
        type unconfined_t;
        type vpnc_t;
        class dbus send_msg;
}

#============= unconfined_t ==============
allow unconfined_t vpnc_t:dbus send_msg;
Comment 13 Daniel Walsh 2007-10-05 10:16:37 EDT
Fixed in selinux-policy-3.0.8-18