Bug 314511

Summary: NM/gdb SELinux denial
Product: [Fedora] Fedora Reporter: Zack Cerza <zcerza>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:05:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zack Cerza 2007-10-01 19:09:16 UTC 
I'm guessing this was triggered by an NM crash.

NetworkManager-0.7.0-0.3.svn2914.fc8
selinux-policy-targeted-3.0.8-14.fc8
gdb-6.6-30.fc8

Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         gdb-6.6-30.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-14.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.file
Host Name                     megadoomer
Platform                      Linux megadoomer 2.6.23-0.214.rc8.git2.fc8 #1 SMP
                              Fri Sep 28 17:38:00 EDT 2007 i686 i686
Alert Count                   20
First Seen                    Mon 01 Oct 2007 03:03:23 PM EDT
Last Seen                     Mon 01 Oct 2007 03:03:23 PM EDT
Local ID                      f0204547-7f01-403d-a61f-dcda36900b09
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=gdb dev=sda6 egid=0 euid=0 exe=/usr/bin/gdb
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=57 pid=9949
scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0
Comment 1 Zack Cerza 2007-10-01 19:10:28 UTC 
I'm not sure what directory it was trying to touch, or why it was labeled
file_t, but I have done several autorelabels in the past.
Comment 2 Daniel Walsh 2007-10-01 20:21:31 UTC 
Please execute

#fixfiles restore and see what happens?
Comment 3 Daniel Walsh 2007-10-09 20:52:39 UTC 
autorelabel should work in selinux-policy-3.0.8-18.fc8
Comment 4 Daniel Walsh 2008-01-30 19:05:39 UTC 
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.