Bug 441095

Summary: denied write runlevel utmp for NetworkManager on interface activation
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: archimerged, jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-09 12:27:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2008-04-06 04:09:17 UTC 
Description of problem:

Apr  5 21:33:46 bona NetworkManager: <info>  Policy set (eth1) as default device
for routing and DNS.
Apr  5 21:33:46 bona NetworkManager: <info>  Activation (eth1) successful,
device activated.
Apr  5 21:33:46 bona NetworkManager: <info>  Activation (eth1) Stage 5 of 5 (IP
Configure Commit) complete.
Apr  5 21:33:46 bona kernel: type=1400 audit(1207452826.658:89): avc:  denied  {
write } for  pid=3533 comm="runlevel" name="utmp" dev=sda5 ino=8009
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.9.1.svn3521.fc9.i386
selinux-policy-3.3.1-26.fc9.noarch
Comment 1 archimerged Ark submedes 2008-04-09 00:54:05 UTC 
$ cat /sbin/runlevel
#!/bin/bash
( date; ps -ef; echo runlevel "$@"; ls --lcontext /var/run/utmp )
>/tmp/runlevel-ps-ef-$( date --iso=sec | tr T: .. )
/sbin/runlevel-orig "$@"

Running in permissive mode.  Otherwise the /tmp/ file couldn't be created either.  

root      2240     1  0 20:28 ?        00:00:00 NetworkManagerDispatcher
--pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
root      2343  2240  0 20:28 ?        00:00:00 /bin/sh
/etc/NetworkManager/dispatcher.d/05-netfs eth0 up
root      2347  2343  0 20:28 ?        00:00:00 /sbin/chkconfig netfs
root      2348  2347  0 20:28 ?        00:00:00 /bin/bash /sbin/runlevel
root      2349  2348  0 20:28 ?        00:00:00 /bin/bash /sbin/runlevel
root      2354  2349  0 20:28 ?        00:00:00 ps -ef


Clearly NMdispatcher is running 05-netfs which calls chkconfig netfs which calls
runlevel, which gets the avc denial.
Comment 2 Daniel Walsh 2008-04-09 12:27:18 UTC 
Please update to the latest selinux policy

Fixed in selinux-policy-3.3.1-30.fc9
Comment 3 archimerged Ark submedes 2008-04-10 19:00:20 UTC 
Works in Rawhide-2008-04-09