Bug 455143

Still seen with NetworkManager-0.7.0-0.11.svn4022.fc8.  In permissive mode I see:

type=1400 audit(1221692156.699:5): avc:  denied  { read write } for  pid=2587 comm="nm-system-setti" path="socket:[9992]" dev=sockfs ino=9992 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket
type=1400 audit(1221692227.217:6): avc:  denied  { read } for  pid=2583 comm="NetworkManager" name="dhclient-eth1.conf" dev=sda5 ino=982193 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcp_etc_t:s0 tclass=file
type=1400 audit(1221692262.366:9): avc:  denied  { getattr } for  pid=3801 comm="NetworkManager" path="/etc/dhclient-eth1.conf" dev=sda5 ino=982193 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcp_etc_t:s0 tclass=file

These are leaked file descriptors.

allow NetworkManager_t system_dbusd_t:tcp_socket { read write };

This is caused by a leak in pam_nssldap, I beleive.


allow NetworkManager_t dhcp_etc_t:file { read getattr };

This is caused by a leak in dhclient?

The first denial definitely causes problems though and NM will not bring up the default network - needed for nm-system-settings to communicate with NM over dbus?  I see:

Sep 18 14:39:18 cynosure NetworkManager: <WARN>  system_settings_get_unmanaged_devices_cb(): system_settings_get_unmanaged_devices_cb: Error getting unmanaged devices from the system settings service: (4) Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Sep 18 14:39:18 cynosure NetworkManager: <WARN>  list_connections_cb(): Couldn't retrieve connections: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken..


More context for the other two:

Sep 17 16:57:42 cynosure NetworkManager: <info>  (eth1): device state change: 5 -> 7
Sep 17 16:57:42 cynosure NetworkManager: <info>  Activation (eth1) Beginning DHCP transaction.
Sep 17 16:57:42 cynosure kernel: type=1400 audit(1221692262.362:8): avc:  denied  { read } for  pid=3801 comm="NetworkManager" name="dhclient-eth1.conf" dev=sda5 ino=982193 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcp_etc_t:s0 tclass=file
Sep 17 16:57:42 cynosure kernel: type=1400 audit(1221692262.366:9): avc:  denied  { getattr } for  pid=3801 comm="NetworkManager" path="/etc/dhclient-eth1.conf" dev=sda5 ino=982193 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcp_etc_t:s0 tclass=file
Sep 17 16:57:42 cynosure dhclient: Internet Systems Consortium DHCP Client V3.0.6-Fedora
Sep 17 16:57:42 cynosure dhclient: Copyright 2004-2007 Internet Systems Consortium.
Sep 17 16:57:42 cynosure dhclient: All rights reserved.
Sep 17 16:57:42 cynosure dhclient: For info, please visit http://www.isc.org/sw/dhcp/
Sep 17 16:57:42 cynosure dhclient:
Sep 17 16:57:42 cynosure dhclient: Listening on LPF/eth1/00:b0:d0:0d:f2:a3
Sep 17 16:57:42 cynosure dhclient: Sending on   LPF/eth1/00:b0:d0:0d:f2:a3
Sep 17 16:57:42 cynosure dhclient: Sending on   Socket/fallback
Sep 17 16:57:42 cynosure dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 3
Sep 17 16:57:42 cynosure dhclient: DHCPOFFER from 192.168.0.8
Sep 17 16:57:42 cynosure dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67
Sep 17 16:57:42 cynosure dhclient: DHCPACK from 192.168.0.8
Sep 17 16:57:42 cynosure dhclient: bound to 192.168.0.72 -- renewal in 7160 seconds.
Sep 17 16:57:42 cynosure NetworkManager: <info>  dhclient started with pid 3852

Dan:

allow NetworkManager_t dhcp_etc_t:file { read getattr };

should be allowed since NM now reads/writes some dhcp-related files in /etc, specifically it will read /etc/dhclient-<iface>.conf and merge those options into /var/run/nm-dhclient-<iface>.conf.  Could we get that added to the policy since it seems correct to me?

I'm not sure about the pam_nssldap thing; is there anything I can do about that in NM?

Thanks!

Added to F8,F9, F10 and RHEL5 policy.

There is nothing networkmanager can do about

allow NetworkManager_t system_dbusd_t:tcp_socket { read write };

Fixed in selinux-policy-3.0.8-117.fc8.src.rpm

This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report.

If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against.

Thanks for the report!