Bug 446969
Summary: | AVC messages when using new NetworkManager build | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | drago01 |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | dcbw, james, orion |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-07-05 16:23:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
drago01
2008-05-16 19:36:15 UTC
How is nm-system-settings labelled? (In reply to comment #1) > How is nm-system-settings labelled? > ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:bin_t /usr/sbin/nm-system-settings some more avcs: ------------------------- audit(1211015519.633:4): avc: denied { write } for pid=2231 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.633:5): avc: denied { write } for pid=2231 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.633:6): avc: denied { write } for pid=2231 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.763:7): avc: denied { write } for pid=2243 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.763:8): avc: denied { write } for pid=2243 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.763:9): avc: denied { write } for pid=2243 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file ---------------------------- audit2allow -d #============= hald_acl_t ============== allow hald_acl_t devlog_t:sock_file write; That is wrong /usr/sbin/nm-system-settings should be labeled NetworkManager_exec_t Does restorecon /usr/sbin/nm-system-settings fix the problem The hald_acl_t sending syslog messages I have never seen before. I will fix that in the next update. Not on mine (selinux-policy-targeted-3.0.8-101.fc8) [root@rhapsody thesis]# /sbin/restorecon /usr/sbin/nm-system-settings [root@rhapsody thesis]# ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/sbin/nm-system-settings Dan: nm-system-settings is new in this update; will probably need policy copied from F9. I need to coordinate better with you with updates to NM so that policy can get updated at the same time. with selinux-policy-targeted-3.0.8-105.fc8 from koji I still get: audit(1211313858.286:4): avc: denied { read } for pid=2098 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2098]: segfault at 18 rip 338ce72ffd rsp 7fffa5e2d720 error 4 audit(1211313878.567:5): avc: denied { write } for pid=2250 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.567:6): avc: denied { write } for pid=2250 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.567:7): avc: denied { write } for pid=2250 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.687:8): avc: denied { write } for pid=2261 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.687:9): avc: denied { write } for pid=2261 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.687:10): avc: denied { write } for pid=2261 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313901.607:11): avc: denied { read } for pid=2471 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2471]: segfault at 18 rip 338ce72ffd rsp 7fffbdb59450 error 4 ------------------- audit2allow -d #============= NetworkManager_t ============== allow NetworkManager_t hald_var_lib_t:dir read; #============= hald_acl_t ============== allow hald_acl_t devlog_t:sock_file write; ------------------- ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:NetworkManager_exec_t /usr/sbin/nm-system-settings additionally I also get a message about dbus-launcher on policy load Fixed in selinux-policy-3.0.8-106.fc8 I installed this an I am still getting -------------------- /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /lib/dbus-1/dbus-daemon-launch-helper (system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /lib64/dbus-1/dbus-daemon-launch-helper (system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0). --------------------- on policy load cat /etc/selinux/targeted/contexts/files/file_contexts | grep dbus shows: --------------- /etc/dbus-1(/.*)? system_u:object_r:dbusd_etc_t:s0 /var/lib/dbus(/.*)? system_u:object_r:system_dbusd_var_lib_t:s0 /var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 /usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0 /var/named/chroot/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 /bin/dbus-daemon -- system_u:object_r:system_dbusd_exec_t:s0 /lib/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:bin_t:s0 /lib/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:system_dbusd_exec_t:s0 /lib64/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:bin_t:s0 /lib64/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:system_dbusd_e ------------------- there are indeed two contexts bin_t and system_dbusd_exec_t forgot to add the avcs are indeed fixed now. the dbus issue seems to be the reason for nm-system-settings segfaulting ... it does not happen when I start it by hand or when I let dbus start it in permissive mode. Fixed file context in selinux-policy-3.0.8-107.fc8 Using selinux-policy-3.0.8-109.fc8 everything seems to work fine. And nm-system-settings no longer segfaults. *** Bug 444522 has been marked as a duplicate of this bug. *** |