Bug 428645
Summary: | selinux blocks script launched by NetworkManager dispatcher.d | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kevin R. Page <redhat-bugzilla> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | orion |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-25 13:51:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kevin R. Page
2008-01-14 11:54:21 UTC
It needs to be labeled bin_t to work. Why did you move this out of /etc/NetworkManager/dispatcher.d/ntpd-script matchpathcon /etc/NetworkManager/dispatcher.d/ntpd-script /etc/NetworkManager/dispatcher.d/ntpd-script system_u:object_r:bin_t If you move it to this directory and run restorecon on it, the script will be labeled bin_t and be executable. If you must have it in /etc (not recommended), you need to fix the labeling by executing # semanage fcontext -a -t bin_t /etc/ntpd-script # restorecon /etc/ntpd-script Ah, sorry, I fouled up cut'n'paste on the second reference to the file - it is, and always has been, in /etc/NetworkManager/dispatcher.d/ restorecon doesn't label it bin_t : # restorecon /etc/NetworkManager/dispatcher.d/ntpd-script # ls -aZ /etc/NetworkManager/dispatcher.d/ntpd-script -rwx------ root root system_u:object_r:etc_t:s0 /etc/NetworkManager/dispatcher.d/ntpd-script and # matchpathcon /etc/NetworkManager/dispatcher.d/ntpd-script /etc/NetworkManager/dispatcher.d/ntpd-script system_u:object_r:etc_t:s0 which is different to your output in comment #1. I guess, from your matchpathcon output, that you're running a newer policy - is a specific version I should try? Fixed in selinux-policy-3.0.8-76.fc8 Same problem in F7 with selinux-policy-2.6.4-67.fc7. Confirmed that the original issue is resolved for me in -76.fc8, now just for F7. Fixed in selinux-policy-3.6.4-70.fc7 (In reply to comment #6) > Fixed in selinux-policy-3.6.4-70.fc7 Looks good to me. Original block is fixed, but with the same script I now get: SELinux is preventing ntpd-script (NetworkManager_t) "getattr" to /var/run/ntpd.pid (ntpd_var_run_t). Policy RPM: selinux-policy-3.0.8-76.fc8 Raw Audit Messages : avc: denied { getattr } for comm=ntpd-script dev=dm-1 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/var/run/ntpd.pid pid=5635 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0 subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=file tcontext=system_u:object_r:ntpd_var_run_t:s0 tty=(none) uid=0 I saw similar with my script and /var/lock. I fixed it by using the "service" command instead of trying to manipulate /var/lock directly. E.g.: /sbin/service ntp status /sbin/service ntp start So your dispatcher script is doing a service ntp start ? For these type of local customizations, I think you are going to have to write your own policy for now. In Rawhide, we have begun breaking out initrc scripts into separate types. So I can add ntp_script_domtrans(NetworkManager_t) Which allows NetworkManager to turn on and off ntp. I can start and stop ntp (and ypbind and autofs) just fine using "/sbin/service" in my dispatcher scripts. I'm assuming that that handles the appropriate transitions. I don't think the dispatcher scripts should manipulate /var/run and /var/lock directly. No idea what Kevin's script is doing, so maybe he's having a different problem. Yes currently policy has init_domtrans_script(NetworkManager_t) Which is probably to broad. THis allows NetworkManager to run any initrc script. I would like to get to the point where it would only be able to start and stop network services scripts. Not iptables for example. (In reply to comment #10) > So your dispatcher script is doing a service ntp start ? Yes, and a restart again if the interface is changed. With ntpd in a normal runlevel init has to wait for ntpd to time out when there (often) isn't any network on boot. The script (taken from the link in comment #0) was checking for - but not changing - /var/run/ntpd.pid to find whether ntpd was active. I changed this to call "/sbin/service/ntpd status" and it's no longer blocked by selinux (with the current policy, at least). Thanks! As for the future, I'd expect (hope!?) with the move to Upstart, and NetworkManager replacing the network init script in F9, that the NetworkManager dispatcher will become the default mechanism to start any services which require a network connection. |