Bug 464615

Summary: SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unknown> (NetworkManager_t).
Product: Red Hat Enterprise Linux 5 Reporter: Suzanne Hillman <shillman>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: dcbw, syeghiay
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-29 19:16:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Suzanne Hillman 2008-09-29 18:27:34 UTC
Description of problem:
SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unknown> (NetworkManager_t). This happens every time I plug in the ethernet cable and it connects to it (also when it first connects on a start).

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-158.el5
NetworkManager-0.7.0-0.11.svn4082.el5
dbus-1.1.2-10.el5

How reproducible:
Always

Steps to Reproduce:
1. Start NetworkManager
2. If not already connected, plug in a network cable.
3. If not already enabled, enable "Auto Ethernet".
  
Actual results:
aforementioned selunix denial

Expected results:
No denial

Additional info:

Raw Audit Messages :host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222712955.594:398): avc: denied { sys_admin } for pid=4330 comm="NetworkManager" capability=21 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222712955.594:398): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bff843c8 items=0 ppid=1 pid=4330 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=user_u:system_r:NetworkManager_t:s0 key=(null)

Comment 1 Suzanne Hillman 2008-09-29 18:32:55 UTC
Possibly related; less clearly so (can't tell what's causing it):

host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222710360.1:307): avc: denied { sys_admin } for pid=3386 comm="NetworkManager" capability=21 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222710360.1:307): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bfab2a58 items=0 ppid=1 pid=3386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) 

and

host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222457473.789:37): avc: denied { sys_admin } for pid=3964 comm="NetworkManager" capability=21 scontext=root:system_r:NetworkManager_t:s0 tcontext=root:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222457473.789:37): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bfd9c208 items=0 ppid=1 pid=3964 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=root:system_r:NetworkManager_t:s0 key=(null)

Comment 3 Daniel Walsh 2008-09-29 19:16:25 UTC
I have been told that this is the wrong version of Network Manager, the one that will ship will not be setting the hostname and will not need this priv.

Comment 4 Dan Williams 2008-09-29 22:17:31 UTC
Yeah, svn4088 or later turns off hostname updates.  4088 is what's attached to the errata, apparently it's not getting pulled into the composes.