Bug 313971

Summary: couple of AVC denials breaking (among other things) NetworkManager
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: mcepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-15 17:45:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit.log
none
/var/log/messages.1 with particular error messages about access denial to dbus socket
none
New NM Selinux module
none
Another selinux module I created as well
none
and the last SELinux module I made none

Description Matěj Cepl 2007-10-01 15:06:44 UTC 
Description of problem:
NetworkManager ceased to work quite recently for me, and after a lot of
searching I tried to work my way through audit2allow and when applying three
policies I have created with it, everything works.

Version-Release number of selected component (if applicable):
dbus-1.0.2-6.fc7
udev-113-12.fc7
NetworkManager-0.6.5-7.fc7
selinux-policy-2.6.4-45.fc7
selinux-policy-targeted-2.6.4-45.fc7

How reproducible:
100%

Steps to Reproduce:
1.restart computer with chkconfig NetworkManager set on "on".
2.messagebus is down, therefore couple of daemons doesn'ŧ work (messages like
these happen):
Sep 29 17:15:52 viklef console-kit-daemon[2637]: WARNING: Couldn't connect to
system bus: Failed to connect to socket /var/run/dbus/system_bus_socket:
Connection refused 
3.NetworkManager is not able to get IP address from the network
  
Actual results:
messagesbus is down, many daemons fail because of that, including NetworkManager

Expected results:
everything is OK, and I get free ice cream ;-)
Comment 1 Matěj Cepl 2007-10-01 15:06:44 UTC 
Created attachment 212331 [details]
/var/log/audit.log
Comment 2 Matěj Cepl 2007-10-01 15:10:10 UTC 
Created attachment 212341 [details]
/var/log/messages.1 with particular error messages about access denial to dbus socket
Comment 3 Matěj Cepl 2007-10-01 15:11:48 UTC 
Created attachment 212351 [details]
New NM Selinux module

I think this is the module which made the trick
Comment 4 Matěj Cepl 2007-10-01 15:14:02 UTC 
Created attachment 212361 [details]
Another selinux module I created as well

Just for the sake of completness I have created this module as well -- I have
no clue whether it is needed or actually whether it is good idea.
Comment 5 Matěj Cepl 2007-10-01 15:16:43 UTC 
Created attachment 212371 [details]
and the last SELinux module I made

this is the last module I made
Comment 6 Daniel Walsh 2007-10-01 20:13:14 UTC 
First off, for some reason your /root directory is labeled default_t.

restorecon -R -v /root 

should fix this.  All of your default_t messages are caused by this.

The hal messages are caused by a badly labeled pm-suspend.log.  restorecon -R -v
/var/log 

Should fix this.  And an updated version of pm-utils should be coming to fix
this forever. by placing the log file in /var/run/pm and /var/log/pm
subdirectory

dbus fixes will be in selinux-policy-2.6.4-46
Comment 7 Matěj Cepl 2007-10-01 21:49:47 UTC 
I can fully confirm mislabeled /root (I have no idea, how that happened), but
restorecon -v -R /var didn't say anything about relabeling of pm-suspend.log.
Comment 8 Matěj Cepl 2007-10-13 13:34:22 UTC 
I think this has been fixed in subsequent updates of selinux-policy.