Bug 431484
| Summary: | AVC denial from 00-netreport | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
| Component: | initscripts | Assignee: | Bill Nottingham <notting> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, rvokal |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-02-05 20:00:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
For some reason your labeling is wrong on this directory. restorecon -R -v /etc Should fix it. /etc/NetworkManager/dispatcher.d/00-netreport should be labeled bin_t. Did you recreate these directories? I did the above before filing BZ.
Still happens.
Argh.... the inode points to
[root@localhost etc]# ls -l */init
-rwxr-xr-x 1 root root 1068 2008-02-03 21:52 sysconfig/init
[root@localhost etc]#
[root@localhost etc]# ls -lZ */init
-rwxr-xr-x root root system_u:object_r:etc_t sysconfig/init
[root@localhost etc]#
does /etc/sysconfig/init need to be bin_t?
--------------------
[root@localhost NetworkManager]# restorecon -v -R /etc
[root@localhost NetworkManager]# ls -lZ
drwxr-xr-x root root system_u:object_r:bin_t dispatcher.d
drwxr-xr-x root root system_u:object_r:etc_t VPN
[root@localhost NetworkManager]# cd *
[root@localhost dispatcher.d]# ls -lZ
-rwxr-xr-x root root system_u:object_r:bin_t 00-netreport
[root@localhost dispatcher.d]#
Here is AVC for this morning's boot:
type=AVC msg=audit(1202221352.502:25): avc: denied { execute } for pid=3245
comm="00-netreport" name="init" dev=dm-0 ino=11076091
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1202221352.502:25): arch=40000003 syscall=33 success=no
exit=-13 a0=95a4398 a1=1 a2=11 a3=95a4398 items=0 ppid=2585 pid=3245
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="00-netreport" exe="/bin/bash"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Repoening, then. Changing the label of /etc/sysconfig/init to 'bin_t' makes the AVC go away on boot. Not sure its "the right thing" though...... Looks ok to me. Fixed in selinux-policy-3.2.6-6.fc9 |
Description of problem: After today's rawhide update, get the following on startup and network changes (e.g., wireless association): type=AVC msg=audit(1202145845.370:25): avc: denied { execute } for pid=4010 comm="00-netreport" name="init" dev=dm-0 ino=11076091 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1202145845.370:25): arch=40000003 syscall=33 success=no exit=-13 a0=86da398 a1=1 a2=11 a3=86da398 items=0 ppid=2626 pid=4010 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Version-Release number of selected component (if applicable): initscripts-8.63-1.i386 How reproducible: Every time Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: