Bug 465119
Summary: | multiple selinux failures with NetworkManager-0.7.0-0.11.svn4022.fc9.i386 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen <sdeasey> | ||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 9 | CC: | dcbw, dwalsh, jkubin, mgrepl, wtogami | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-06-10 11:12:50 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Yeah, they all look legit; NM will spawn both avahi-autoipd (which writes pidfiles to /var/lib/ I think) and dnsmasq (which tries to be a caching nameserver and also writes pidfiles). NM will also execute /sbin/iptables when adding firewall rules for connection sharing. (dan: these policy additions will also be valid for RHEL5.3) Probably already fixed; but over to selinux-policy for confirmation. btw. just tried to install a Huawei k3520 3G modem and got some selinux failures with ppp. I think this general class of bug is that no one is testing network manager (and related dependencies) with selinux enabled...? (here's the ppp errors:) Summary: SELinux is preventing pppd (NetworkManager_t) "remove_name" to ./LCK..ttyUSB0 (var_lock_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./LCK..ttyUSB0, restorecon -v './LCK..ttyUSB0' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:var_lock_t:s0 Target Objects ./LCK..ttyUSB0 [ dir ] Source pppd Source Path /usr/sbin/pppd Port <Unknown> Host groks.localdomain Source RPM Packages ppp-2.4.4-7.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-99.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name groks.localdomain Platform Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 2 First Seen Sun 02 Nov 2008 05:42:39 PM GMT Last Seen Sun 02 Nov 2008 09:54:52 PM GMT Local ID 320afb53-6fad-4b78-8244-8301f664900f Line Numbers Raw Audit Messages host=groks.localdomain type=AVC msg=audit(1225662892.519:19): avc: denied { remove_name } for pid=3044 comm="pppd" name="LCK..ttyUSB0" dev=dm-0 ino=86082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir host=groks.localdomain type=AVC msg=audit(1225662892.519:19): avc: denied { unlink } for pid=3044 comm="pppd" name="LCK..ttyUSB0" dev=dm-0 ino=86082 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file host=groks.localdomain type=SYSCALL msg=audit(1225662892.519:19): arch=40000003 syscall=10 success=yes exit=0 a0=b80b22c0 a1=306ff4 a2=b80aafc4 a3=b80f975c items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Summary: SELinux is preventing pppd (NetworkManager_t) "execute" to ./pppd (pppd_exec_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./pppd, restorecon -v './pppd' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:pppd_exec_t:s0 Target Objects ./pppd [ file ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host groks.localdomain Source RPM Packages ppp-2.4.4-7.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-99.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name groks.localdomain Platform Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 3 First Seen Sun 02 Nov 2008 05:40:47 PM GMT Last Seen Sun 02 Nov 2008 09:54:46 PM GMT Local ID 93ae06c1-0a70-44a5-9215-8d9e4ac09cb4 Line Numbers Raw Audit Messages host=groks.localdomain type=AVC msg=audit(1225662886.66:13): avc: denied { execute } for pid=3044 comm="NetworkManager" name="pppd" dev=dm-0 ino=327934 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file host=groks.localdomain type=AVC msg=audit(1225662886.66:13): avc: denied { read } for pid=3044 comm="NetworkManager" name="pppd" dev=dm-0 ino=327934 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file host=groks.localdomain type=AVC msg=audit(1225662886.66:13): avc: denied { execute_no_trans } for pid=3044 comm="NetworkManager" path="/usr/sbin/pppd" dev=dm-0 ino=327934 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_exec_t:s0 tclass=file host=groks.localdomain type=SYSCALL msg=audit(1225662886.66:13): arch=40000003 syscall=11 success=yes exit=0 a0=952e808 a1=9521a98 a2=bfc7a240 a3=952e808 items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Summary: SELinux is preventing pppd (NetworkManager_t) "getattr" to /etc/ppp/options (pppd_etc_rw_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /etc/ppp/options, restorecon -v '/etc/ppp/options' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:pppd_etc_rw_t:s0 Target Objects /etc/ppp/options [ file ] Source pppd Source Path /usr/sbin/pppd Port <Unknown> Host groks.localdomain Source RPM Packages ppp-2.4.4-7.fc9 Target RPM Packages ppp-2.4.4-7.fc9 Policy RPM selinux-policy-3.3.1-99.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name groks.localdomain Platform Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 2 First Seen Sun 02 Nov 2008 05:42:32 PM GMT Last Seen Sun 02 Nov 2008 09:54:46 PM GMT Local ID dade32b2-cad7-4fb4-82a4-75d5ca137dd5 Line Numbers Raw Audit Messages host=groks.localdomain type=AVC msg=audit(1225662886.305:15): avc: denied { getattr } for pid=3044 comm="pppd" path="/etc/ppp/options" dev=dm-0 ino=19556 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_etc_rw_t:s0 tclass=file host=groks.localdomain type=SYSCALL msg=audit(1225662886.305:15): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfaa7a04 a2=306ff4 a3=b8ee7080 items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Summary: SELinux is preventing pppd (NetworkManager_t) "read" to ./options (pppd_etc_rw_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by pppd. It is not expected that this access is required by pppd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./options, restorecon -v './options' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:pppd_etc_rw_t:s0 Target Objects ./options [ file ] Source pppd Source Path /usr/sbin/pppd Port <Unknown> Host groks.localdomain Source RPM Packages ppp-2.4.4-7.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-99.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name groks.localdomain Platform Linux groks.localdomain 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 2 First Seen Sun 02 Nov 2008 05:42:32 PM GMT Last Seen Sun 02 Nov 2008 09:54:46 PM GMT Local ID 3b1c3ef0-0ba3-4627-a03a-d214bc4eeadd Line Numbers Raw Audit Messages host=groks.localdomain type=AVC msg=audit(1225662886.286:14): avc: denied { read } for pid=3044 comm="pppd" name="options" dev=dm-0 ino=19556 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:pppd_etc_rw_t:s0 tclass=file host=groks.localdomain type=SYSCALL msg=audit(1225662886.286:14): arch=40000003 syscall=5 success=yes exit=4 a0=b809b0a3 a1=0 a2=1b6 a3=0 items=0 ppid=2090 pid=3044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Fixed in selinux-policy-3.3.1-103.fc9 I have selinux-policy-3.3.1-103.fc9 installed and am still experiencing this problem. I'll attach the complaints from selinux. btw. here is another bug. The error report tries to be helpful by giving you a command to run which may fix the problem. Here is an example: restorecon -v '<Unknown>' and: restorecon -v './dnsmasq' (relative path). :-( Created attachment 322364 [details]
selinux complaining about networkmanager
This bug is showing up as NEEDINFO from me. The last posted fix didn't work so I had to disable enforcing on selinux. Now I've upgraded to F10. Someone else will have to confirm whether this is fixed or not. This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
Created attachment 319128 [details] sealert output Description of problem: The new connection sharing feature of NetworManager fails to work because of multiple selinux errors (interaction with dnsmasq etc.). I've attached some log info. Version-Release number of selected component (if applicable): NetworkManager-0.7.0-0.11.svn4022.fc9.i386 Additional info: selinux-policy-3.3.1-91.fc9.noarch selinux-policy-targeted-3.3.1-91.fc9.noarch kernel-2.6.26.3-29.fc9.i686