Bug 446969
| Summary: | AVC messages when using new NetworkManager build | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | drago01 |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | dcbw, james, orion |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-07-05 16:23:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
How is nm-system-settings labelled? (In reply to comment #1) > How is nm-system-settings labelled? > ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:bin_t /usr/sbin/nm-system-settings some more avcs:
-------------------------
audit(1211015519.633:4): avc: denied { write } for pid=2231
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.633:5): avc: denied { write } for pid=2231
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.633:6): avc: denied { write } for pid=2231
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.763:7): avc: denied { write } for pid=2243
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.763:8): avc: denied { write } for pid=2243
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.763:9): avc: denied { write } for pid=2243
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
----------------------------
audit2allow -d
#============= hald_acl_t ==============
allow hald_acl_t devlog_t:sock_file write;
That is wrong /usr/sbin/nm-system-settings should be labeled NetworkManager_exec_t Does restorecon /usr/sbin/nm-system-settings fix the problem The hald_acl_t sending syslog messages I have never seen before. I will fix that in the next update. Not on mine (selinux-policy-targeted-3.0.8-101.fc8) [root@rhapsody thesis]# /sbin/restorecon /usr/sbin/nm-system-settings [root@rhapsody thesis]# ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/sbin/nm-system-settings Dan: nm-system-settings is new in this update; will probably need policy copied from F9. I need to coordinate better with you with updates to NM so that policy can get updated at the same time. with selinux-policy-targeted-3.0.8-105.fc8 from koji I still get:
audit(1211313858.286:4): avc: denied { read } for pid=2098
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[2098]: segfault at 18 rip 338ce72ffd rsp 7fffa5e2d720 error 4
audit(1211313878.567:5): avc: denied { write } for pid=2250
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.567:6): avc: denied { write } for pid=2250
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.567:7): avc: denied { write } for pid=2250
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.687:8): avc: denied { write } for pid=2261
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.687:9): avc: denied { write } for pid=2261
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.687:10): avc: denied { write } for pid=2261
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313901.607:11): avc: denied { read } for pid=2471
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[2471]: segfault at 18 rip 338ce72ffd rsp 7fffbdb59450 error 4
-------------------
audit2allow -d
#============= NetworkManager_t ==============
allow NetworkManager_t hald_var_lib_t:dir read;
#============= hald_acl_t ==============
allow hald_acl_t devlog_t:sock_file write;
-------------------
ls -Z /usr/sbin/nm-system-settings
-rwxr-xr-x root root system_u:object_r:NetworkManager_exec_t
/usr/sbin/nm-system-settings
additionally I also get a message about dbus-launcher on policy load
Fixed in selinux-policy-3.0.8-106.fc8 I installed this an I am still getting -------------------- /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /lib/dbus-1/dbus-daemon-launch-helper (system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /lib64/dbus-1/dbus-daemon-launch-helper (system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0). --------------------- on policy load cat /etc/selinux/targeted/contexts/files/file_contexts | grep dbus shows: --------------- /etc/dbus-1(/.*)? system_u:object_r:dbusd_etc_t:s0 /var/lib/dbus(/.*)? system_u:object_r:system_dbusd_var_lib_t:s0 /var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 /usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0 /var/named/chroot/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 /bin/dbus-daemon -- system_u:object_r:system_dbusd_exec_t:s0 /lib/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:bin_t:s0 /lib/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:system_dbusd_exec_t:s0 /lib64/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:bin_t:s0 /lib64/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:system_dbusd_e ------------------- there are indeed two contexts bin_t and system_dbusd_exec_t forgot to add the avcs are indeed fixed now. the dbus issue seems to be the reason for nm-system-settings segfaulting ... it does not happen when I start it by hand or when I let dbus start it in permissive mode. Fixed file context in selinux-policy-3.0.8-107.fc8 Using selinux-policy-3.0.8-109.fc8 everything seems to work fine. And nm-system-settings no longer segfaults. *** Bug 444522 has been marked as a duplicate of this bug. *** |
I installed NetworkManager-0.7.0-0.6.8.svn3669.fc8 from koji and now I get many acvs like this (using selinux-policy-targeted-3.0.8-101.fc8) : -------------- audit(1210964905.825:347): avc: denied { read } for pid=2909 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2909]: segfault at 18 rip 338ce72ffd rsp 7fff89d37340 error 4 audit(1210965025.823:348): avc: denied { read } for pid=2992 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2992]: segfault at 18 rip 338ce72ffd rsp 7fff6254fe40 error 4 audit(1210965145.822:349): avc: denied { read } for pid=3075 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3075]: segfault at 18 rip 338ce72ffd rsp 7fff2345ed50 error 4 audit(1210965265.825:350): avc: denied { read } for pid=3165 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3165]: segfault at 18 rip 338ce72ffd rsp 7fff65ff38e0 error 4 audit(1210965385.829:351): avc: denied { read } for pid=3248 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3248]: segfault at 18 rip 338ce72ffd rsp 7fffb0bb74b0 error 4 audit(1210965505.828:352): avc: denied { read } for pid=3357 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3357]: segfault at 18 rip 338ce72ffd rsp 7fff6a0d89d0 error 4 audit(1210965625.828:353): avc: denied { read } for pid=3441 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3441]: segfault at 18 rip 338ce72ffd rsp 7fff841eaae0 error 4 audit(1210965745.827:354): avc: denied { read } for pid=3556 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3556]: segfault at 18 rip 338ce72ffd rsp 7fff062a1b90 error 4 audit(1210965865.837:355): avc: denied { read } for pid=3638 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir --------------- audit2allow -d output: #============= hald_acl_t ============== allow hald_acl_t self:unix_dgram_socket create; #============= system_dbusd_t ============== allow system_dbusd_t hald_var_lib_t:dir read;