Bug 457641

Summary: SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-wlan0.conf (NetworkManager_var_run_t).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: dhcpAssignee: David Cantrell <dcantrell>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: bron2481, dcbw, dwalsh
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-27 19:17:58 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Matěj Cepl 2008-08-02 01:44:07 EDT
Souhrn:

SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-wlan0.conf
(NetworkManager_var_run_t).

Podrobný popis:

SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./nm-dhclient-wlan0.conf,

restorecon -v './nm-dhclient-wlan0.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:dhcpc_t
Kontext cíle                 system_u:object_r:NetworkManager_var_run_t
Objekty cíle                 ./nm-dhclient-wlan0.conf [ file ]
Zdroj                         dhclient
Cesta zdroje                  /sbin/dhclient
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          dhclient-4.0.0-16.fc9
NetworkManager-0.7.0-0.11.svn3846.fc9.i386
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-82.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.10-86.fc9.i686 #1 SMP Mon Jul
                              7 20:46:03 EDT 2008 i686 i686
Počet upozornění           10
Poprvé viděno               Čt 31. červenec 2008, 09:56:19 CEST
Naposledy viděno             So 2. srpen 2008, 07:13:41 CEST
Místní ID                   125b63fb-ab71-48c5-a7d4-dcfa311fbbf6
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1217654021.216:20): avc:  denied  { read } for 
pid=3418 comm="dhclient" name="nm-dhclient-wlan0.conf" dev=dm-0 ino=1274701
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1217654021.216:20): arch=40000003 syscall=5
success=no exit=-13 a0=bfc83ecc a1=0 a2=bfc82978 a3=88e5630 items=0 ppid=1
pid=3418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="dhclient" exe="/sbin/dhclient"
subj=system_u:system_r:dhcpc_t:s0 key=(null)
Comment 1 Matěj Cepl 2008-08-02 01:47:58 EDT
And there is couple of (I guess) related AVC Denials:


Souhrn:

SELinux is preventing NetworkManager (NetworkManager_t) "unlink" to
./nm-dhclient-wlan0.conf (var_run_t).

Podrobný popis:

SELinux is preventing NetworkManager (NetworkManager_t) "unlink" to
./nm-dhclient-wlan0.conf (var_run_t). The SELinux type var_run_t, is a generic
type for all files in the directory and very few processes (SELinux Domains) are
allowed to write to this SELinux type. This type of denial usual indicates a
mislabeled file. By default a file created in a directory has the gets the
context of the parent directory, but SELinux policy has rules about the creation
of directories, that say if a process running in one SELinux Domain (D1) creates
a file in a directory with a particular SELinux File Context (F1) the file gets
a different File Context (F2). The policy usually allows the SELinux Domain (D1)
the ability to write, unlink, and append on (F2). But if for some reason a file
(./nm-dhclient-wlan0.conf) was created with the wrong context, this domain will
be denied. The usual solution to this problem is to reset the file context on
the target file, restorecon -v './nm-dhclient-wlan0.conf'. If the file context
does not change from var_run_t, then this is probably a bug in policy. Please
file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
the selinux-policy package. If it does change, you can try your application
again to see if it works. The file context could have been mislabeled by editing
the file or moving the file from a different directory, if the file keeps
getting mislabeled, check the init scripts to see if they are doing something to
mislabel the file.

Povolení přístupu:

You can attempt to fix file context by executing restorecon -v
'./nm-dhclient-wlan0.conf'

Příkaz pro opravu:

restorecon './nm-dhclient-wlan0.conf'

Další informace:

Kontext zdroje                system_u:system_r:NetworkManager_t
Kontext cíle                 system_u:object_r:var_run_t
Objekty cíle                 ./nm-dhclient-wlan0.conf [ file ]
Zdroj                         NetworkManager
Cesta zdroje                  /usr/sbin/NetworkManager
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          NetworkManager-0.7.0-0.11.svn3846.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-82.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     mislabeled_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.11-97.fc9.i686 #1 SMP Mon Jul
                              21 01:31:09 EDT 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Pá 1. srpen 2008, 08:26:01 CEST
Naposledy viděno             Pá 1. srpen 2008, 08:26:01 CEST
Místní ID                   ccdf21dc-8ea6-4ef8-b472-9550648c47d4
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1217571961.485:1411): avc:  denied  { unlink }
for  pid=2606 comm="NetworkManager" name="nm-dhclient-wlan0.conf" dev=dm-0
ino=1274647 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1217571961.485:1411): arch=40000003
syscall=10 success=no exit=-13 a0=93dcb78 a1=29 a2=2eeff4 a3=93dcb78 items=0
ppid=1 pid=2606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager"
exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)


Comment 2 Matěj Cepl 2008-08-02 01:48:23 EDT
Also:


Souhrn:

SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-eth0.conf
(NetworkManager_var_run_t).

Podrobný popis:

SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./nm-dhclient-eth0.conf,

restorecon -v './nm-dhclient-eth0.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:dhcpc_t
Kontext cíle                 system_u:object_r:NetworkManager_var_run_t
Objekty cíle                 ./nm-dhclient-eth0.conf [ file ]
Zdroj                         dhclient
Cesta zdroje                  /sbin/dhclient
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          dhclient-4.0.0-16.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-82.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.11-97.fc9.i686 #1 SMP Mon Jul
                              21 01:31:09 EDT 2008 i686 i686
Počet upozornění           3
Poprvé viděno               Pá 1. srpen 2008, 10:06:08 CEST
Naposledy viděno             Pá 1. srpen 2008, 16:03:46 CEST
Místní ID                   ee430b28-4a8f-4e49-aeb1-935eb3f68de1
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1217599426.315:8): avc:  denied  { read } for 
pid=2754 comm="dhclient" name="nm-dhclient-eth0.conf" dev=dm-0 ino=1274691
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1217599426.315:8): arch=40000003 syscall=5
success=no exit=-13 a0=bfbc3ece a1=0 a2=bfbc2cf8 a3=8572630 items=0 ppid=1
pid=2754 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="dhclient" exe="/sbin/dhclient"
subj=system_u:system_r:dhcpc_t:s0 key=(null)


Comment 3 Matěj Cepl 2008-08-02 01:49:01 EDT
Souhrn:

SELinux is preventing NetworkManager (NetworkManager_t) "read" to
./dhclient-wlan0.conf (dhcp_etc_t).

Podrobný popis:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./dhclient-wlan0.conf,

restorecon -v './dhclient-wlan0.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:NetworkManager_t
Kontext cíle                 system_u:object_r:dhcp_etc_t
Objekty cíle                 ./dhclient-wlan0.conf [ file ]
Zdroj                         NetworkManager
Cesta zdroje                  /usr/sbin/NetworkManager
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          NetworkManager-0.7.0-0.11.svn3846.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-82.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.10-86.fc9.i686 #1 SMP Mon Jul
                              7 20:46:03 EDT 2008 i686 i686
Počet upozornění           9
Poprvé viděno               Čt 31. červenec 2008, 09:56:19 CEST
Naposledy viděno             So 2. srpen 2008, 07:13:40 CEST
Místní ID                   b392e97d-21ce-43f6-b64b-a9de2162c476
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1217654020.514:19): avc:  denied  { read } for 
pid=2573 comm="NetworkManager" name="dhclient-wlan0.conf" dev=dm-0 ino=2091293
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:dhcp_etc_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1217654020.514:19): arch=40000003 syscall=5
success=no exit=-13 a0=8115698 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=2573
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)


Comment 4 Matěj Cepl 2008-08-02 01:52:07 EDT
My curent audit.log is in the attachment 313259 [details]
Comment 5 Daniel Walsh 2008-08-04 13:50:36 EDT
The original report of this AVC should have been fixed in -80. So I do not know why you would be seeing this with the 82 installed.

If you grep for NetworkManager /var/log/audit/audit.log | audit2why

What does it say?
Comment 6 David Cantrell 2008-08-06 15:19:46 EDT
Matej,

See comment #5.  Is this problem still happening?

Thanks.
Comment 7 Matěj Cepl 2008-08-27 19:17:58 EDT
Probably not, I cannot find any dhcp in /var/log/audit/audit.log. Let's close it for now.