Bug 465119

Summary: multiple selinux failures with NetworkManager-0.7.0-0.11.svn4022.fc9.i386
Product: [Fedora] Fedora Reporter: Stephen <sdeasey>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: dcbw, dwalsh, jkubin, mgrepl, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-10 11:12:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sealert output
none
selinux complaining about networkmanager none

Description Stephen 2008-10-01 16:55:32 UTC
Created attachment 319128 [details]
sealert output

Description of problem:

The new connection sharing feature of NetworManager fails to work because of multiple selinux errors (interaction with dnsmasq etc.).  I've attached some log info.



Version-Release number of selected component (if applicable):

NetworkManager-0.7.0-0.11.svn4022.fc9.i386



Additional info:

selinux-policy-3.3.1-91.fc9.noarch
selinux-policy-targeted-3.3.1-91.fc9.noarch
kernel-2.6.26.3-29.fc9.i686

Comment 1 Dan Williams 2008-10-02 20:18:50 UTC
Yeah, they all look legit; NM will spawn both avahi-autoipd (which writes pidfiles to /var/lib/ I think) and dnsmasq (which tries to be a caching nameserver and also writes pidfiles).  NM will also execute /sbin/iptables when adding firewall rules for connection sharing.

(dan: these policy additions will also be valid for RHEL5.3)

Comment 2 Dan Williams 2008-11-02 22:39:06 UTC
Probably already fixed; but over to selinux-policy for confirmation.

Comment 3 Stephen 2008-11-03 00:10:55 UTC
btw. just tried to install a Huawei k3520 3G modem and got some selinux failures with ppp.

I think this general class of bug is that no one is testing network manager (and related dependencies) with selinux enabled...?


(here's the ppp errors:)


Summary:

SELinux is preventing pppd (NetworkManager_t) "remove_name" to ./LCK..ttyUSB0
(var_lock_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./LCK..ttyUSB0,

restorecon -v './LCK..ttyUSB0'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_lock_t:s0
Target Objects                ./LCK..ttyUSB0 [ dir ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          groks.localdomain
Source RPM Packages           ppp-2.4.4-7.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-99.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     groks.localdomain
Platform                      Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1
                              SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count                   2
First Seen                    Sun 02 Nov 2008 05:42:39 PM GMT
Last Seen                     Sun 02 Nov 2008 09:54:52 PM GMT
Local ID                      320afb53-6fad-4b78-8244-8301f664900f
Line Numbers                  

Raw Audit Messages            

host=groks.localdomain type=AVC msg=audit(1225662892.519:19): avc:  denied  { remove_name } for  pid=3044 comm="pppd" name="LCK..ttyUSB0" dev=dm-0 ino=86082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir

host=groks.localdomain type=AVC msg=audit(1225662892.519:19): avc:  denied  { unlink } for  pid=3044 comm="pppd" name="LCK..ttyUSB0" dev=dm-0 ino=86082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file

host=groks.localdomain type=SYSCALL msg=audit(1225662892.519:19): arch=40000003 syscall=10 success=yes exit=0 a0=b80b22c0 a1=306ff4 a2=b80aafc4 a3=b80f975c items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)




Summary:

SELinux is preventing pppd (NetworkManager_t) "execute" to ./pppd (pppd_exec_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./pppd,

restorecon -v './pppd'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:pppd_exec_t:s0
Target Objects                ./pppd [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          groks.localdomain
Source RPM Packages           ppp-2.4.4-7.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-99.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     groks.localdomain
Platform                      Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1
                              SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count                   3
First Seen                    Sun 02 Nov 2008 05:40:47 PM GMT
Last Seen                     Sun 02 Nov 2008 09:54:46 PM GMT
Local ID                      93ae06c1-0a70-44a5-9215-8d9e4ac09cb4
Line Numbers                  

Raw Audit Messages            

host=groks.localdomain type=AVC msg=audit(1225662886.66:13): avc:  denied  { execute } for  pid=3044 comm="NetworkManager" name="pppd" dev=dm-0 ino=327934 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file

host=groks.localdomain type=AVC msg=audit(1225662886.66:13): avc:  denied  { read } for  pid=3044 comm="NetworkManager" name="pppd" dev=dm-0 ino=327934 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file

host=groks.localdomain type=AVC msg=audit(1225662886.66:13): avc:  denied  { execute_no_trans } for  pid=3044 comm="NetworkManager" path="/usr/sbin/pppd" dev=dm-0 ino=327934 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file

host=groks.localdomain type=SYSCALL msg=audit(1225662886.66:13): arch=40000003 syscall=11 success=yes exit=0 a0=952e808 a1=9521a98 a2=bfc7a240 a3=952e808 items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Summary:

SELinux is preventing pppd (NetworkManager_t) "getattr" to /etc/ppp/options
(pppd_etc_rw_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /etc/ppp/options,

restorecon -v '/etc/ppp/options'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:pppd_etc_rw_t:s0
Target Objects                /etc/ppp/options [ file ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          groks.localdomain
Source RPM Packages           ppp-2.4.4-7.fc9
Target RPM Packages           ppp-2.4.4-7.fc9
Policy RPM                    selinux-policy-3.3.1-99.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     groks.localdomain
Platform                      Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1
                              SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count                   2
First Seen                    Sun 02 Nov 2008 05:42:32 PM GMT
Last Seen                     Sun 02 Nov 2008 09:54:46 PM GMT
Local ID                      dade32b2-cad7-4fb4-82a4-75d5ca137dd5
Line Numbers                  

Raw Audit Messages            

host=groks.localdomain type=AVC msg=audit(1225662886.305:15): avc:  denied  { getattr } for  pid=3044 comm="pppd" path="/etc/ppp/options" dev=dm-0 ino=19556 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_etc_rw_t:s0 tclass=file

host=groks.localdomain type=SYSCALL msg=audit(1225662886.305:15): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfaa7a04 a2=306ff4 a3=b8ee7080 items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)




Summary:

SELinux is preventing pppd (NetworkManager_t) "read" to ./options
(pppd_etc_rw_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./options,

restorecon -v './options'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:pppd_etc_rw_t:s0
Target Objects                ./options [ file ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          groks.localdomain
Source RPM Packages           ppp-2.4.4-7.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-99.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     groks.localdomain
Platform                      Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1
                              SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count                   2
First Seen                    Sun 02 Nov 2008 05:42:32 PM GMT
Last Seen                     Sun 02 Nov 2008 09:54:46 PM GMT
Local ID                      3b1c3ef0-0ba3-4627-a03a-d214bc4eeadd
Line Numbers                  

Raw Audit Messages            

host=groks.localdomain type=AVC msg=audit(1225662886.286:14): avc:  denied  { read } for  pid=3044 comm="pppd" name="options" dev=dm-0 ino=19556 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_etc_rw_t:s0 tclass=file

host=groks.localdomain type=SYSCALL msg=audit(1225662886.286:14): arch=40000003 syscall=5 success=yes exit=4 a0=b809b0a3 a1=0 a2=1b6 a3=0 items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Comment 4 Daniel Walsh 2008-11-03 19:43:37 UTC
Fixed in selinux-policy-3.3.1-103.fc9

Comment 5 Stephen 2008-11-03 20:19:09 UTC
I have selinux-policy-3.3.1-103.fc9 installed and am still experiencing this problem.

I'll attach the complaints from selinux.


btw. here is another bug. The error report tries to be helpful by giving you a command to run which may fix the problem. Here is an example:

  restorecon -v '<Unknown>'

and:

  restorecon -v './dnsmasq'

(relative path).


:-(

Comment 6 Stephen 2008-11-03 20:20:33 UTC
Created attachment 322364 [details]
selinux complaining about networkmanager

Comment 7 Stephen 2008-12-06 06:23:50 UTC
This bug is showing up as NEEDINFO from me. The last posted fix didn't work so I had to disable enforcing on selinux. Now I've upgraded to F10.

Someone else will have to confirm whether this is fixed or not.

Comment 8 Bug Zapper 2009-06-10 02:51:31 UTC
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping