Bug 457641
| Summary: | SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-wlan0.conf (NetworkManager_var_run_t). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
| Component: | dhcp | Assignee: | David Cantrell <dcantrell> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | bron2481, dcbw, dwalsh, mcepl |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-08-27 23:17:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matěj Cepl
2008-08-02 05:44:07 UTC
And there is couple of (I guess) related AVC Denials: Souhrn: SELinux is preventing NetworkManager (NetworkManager_t) "unlink" to ./nm-dhclient-wlan0.conf (var_run_t). Podrobný popis: SELinux is preventing NetworkManager (NetworkManager_t) "unlink" to ./nm-dhclient-wlan0.conf (var_run_t). The SELinux type var_run_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (./nm-dhclient-wlan0.conf) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v './nm-dhclient-wlan0.conf'. If the file context does not change from var_run_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Povolení přístupu: You can attempt to fix file context by executing restorecon -v './nm-dhclient-wlan0.conf' Příkaz pro opravu: restorecon './nm-dhclient-wlan0.conf' Další informace: Kontext zdroje system_u:system_r:NetworkManager_t Kontext cíle system_u:object_r:var_run_t Objekty cíle ./nm-dhclient-wlan0.conf [ file ] Zdroj NetworkManager Cesta zdroje /usr/sbin/NetworkManager Port <Neznámé> Počítač viklef RPM balíčky zdroje NetworkManager-0.7.0-0.11.svn3846.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-82.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu mislabeled_file Název počítače viklef Platforma Linux viklef 2.6.25.11-97.fc9.i686 #1 SMP Mon Jul 21 01:31:09 EDT 2008 i686 i686 Počet upozornění 1 Poprvé viděno Pá 1. srpen 2008, 08:26:01 CEST Naposledy viděno Pá 1. srpen 2008, 08:26:01 CEST Místní ID ccdf21dc-8ea6-4ef8-b472-9550648c47d4 Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1217571961.485:1411): avc: denied { unlink } for pid=2606 comm="NetworkManager" name="nm-dhclient-wlan0.conf" dev=dm-0 ino=1274647 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file host=viklef type=SYSCALL msg=audit(1217571961.485:1411): arch=40000003 syscall=10 success=no exit=-13 a0=93dcb78 a1=29 a2=2eeff4 a3=93dcb78 items=0 ppid=1 pid=2606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Also: Souhrn: SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-eth0.conf (NetworkManager_var_run_t). Podrobný popis: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./nm-dhclient-eth0.conf, restorecon -v './nm-dhclient-eth0.conf' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:dhcpc_t Kontext cíle system_u:object_r:NetworkManager_var_run_t Objekty cíle ./nm-dhclient-eth0.conf [ file ] Zdroj dhclient Cesta zdroje /sbin/dhclient Port <Neznámé> Počítač viklef RPM balíčky zdroje dhclient-4.0.0-16.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-82.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.25.11-97.fc9.i686 #1 SMP Mon Jul 21 01:31:09 EDT 2008 i686 i686 Počet upozornění 3 Poprvé viděno Pá 1. srpen 2008, 10:06:08 CEST Naposledy viděno Pá 1. srpen 2008, 16:03:46 CEST Místní ID ee430b28-4a8f-4e49-aeb1-935eb3f68de1 Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1217599426.315:8): avc: denied { read } for pid=2754 comm="dhclient" name="nm-dhclient-eth0.conf" dev=dm-0 ino=1274691 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file host=viklef type=SYSCALL msg=audit(1217599426.315:8): arch=40000003 syscall=5 success=no exit=-13 a0=bfbc3ece a1=0 a2=bfbc2cf8 a3=8572630 items=0 ppid=1 pid=2754 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient" exe="/sbin/dhclient" subj=system_u:system_r:dhcpc_t:s0 key=(null) Souhrn: SELinux is preventing NetworkManager (NetworkManager_t) "read" to ./dhclient-wlan0.conf (dhcp_etc_t). Podrobný popis: SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dhclient-wlan0.conf, restorecon -v './dhclient-wlan0.conf' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:NetworkManager_t Kontext cíle system_u:object_r:dhcp_etc_t Objekty cíle ./dhclient-wlan0.conf [ file ] Zdroj NetworkManager Cesta zdroje /usr/sbin/NetworkManager Port <Neznámé> Počítač viklef RPM balíčky zdroje NetworkManager-0.7.0-0.11.svn3846.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-82.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.25.10-86.fc9.i686 #1 SMP Mon Jul 7 20:46:03 EDT 2008 i686 i686 Počet upozornění 9 Poprvé viděno Čt 31. červenec 2008, 09:56:19 CEST Naposledy viděno So 2. srpen 2008, 07:13:40 CEST Místní ID b392e97d-21ce-43f6-b64b-a9de2162c476 Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1217654020.514:19): avc: denied { read } for pid=2573 comm="NetworkManager" name="dhclient-wlan0.conf" dev=dm-0 ino=2091293 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcp_etc_t:s0 tclass=file host=viklef type=SYSCALL msg=audit(1217654020.514:19): arch=40000003 syscall=5 success=no exit=-13 a0=8115698 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=2573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) My curent audit.log is in the attachment 313259 [details]
The original report of this AVC should have been fixed in -80. So I do not know why you would be seeing this with the 82 installed. If you grep for NetworkManager /var/log/audit/audit.log | audit2why What does it say? Matej, See comment #5. Is this problem still happening? Thanks. Probably not, I cannot find any dhcp in /var/log/audit/audit.log. Let's close it for now. |