Bug 487782

Summary: new selinux alert for NM after update to 0.7.0.98-1 (F11/Alpha)
Product: [Fedora] Fedora Reporter: Andrew Hecox <ahecox>
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dcbw, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-03 20:41:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Hecox 2009-02-27 21:09:57 UTC 
after upgrading to NetworkManager-0.7.0.98-1.git20090225.fc11.i586 I started receiving the following alerts from setroubleshootd. Functionality seems unimpaired, but setroubleshootd said to open a BZ and I do what it tells me. ppp, the package providing the actual binary in question, was not updated, hence the NM report.

The card in question is a CDMA broadband wireless card from Pantech.

** ** **

Summary:

SELinux is preventing pppd (pppd_t) "signal" initrc_t.

Detailed Description:

SELinux denied access requested by pppd. It is not expected that this access is
required by pppd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:pppd_t:s0
Target Context                system_u:system_r:initrc_t:s0
Target Objects                None [ process ]
Source                        pppd
Source Path                   /usr/sbin/pppd
Port                          <Unknown>
Host                          t61
Source RPM Packages           ppp-2.4.4-9.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.6-6.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     t61
Platform                      Linux t61 2.6.29-0.159.rc6.git3.fc11.i586 #1 SMP
                              Thu Feb 26 12:14:21 EST 2009 i686 i686
Alert Count                   2
First Seen                    Thu Feb 26 13:22:01 2009
Last Seen                     Fri Feb 27 15:56:20 2009
Local ID                      f47f0cbf-6e8e-4e54-b7f5-ce45544099b2
Line Numbers                  

Raw Audit Messages            

node=t61 type=AVC msg=audit(1235768180.881:44): avc:  denied  { signal } for  pid=3062 comm="pppd" scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process

node=t61 type=SYSCALL msg=audit(1235768180.881:44): arch=40000003 syscall=37 success=no exit=-13 a0=d3c a1=f a2=94d524 a3=16c5d58 items=0 ppid=2483 pid=3062 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null)
Comment 1 Dan Williams 2009-02-27 23:17:11 UTC 
Dan: not entirely sure what pppd's issue is; NM will signal pppd when it wants to terminate it. Is there any indication of what signal pppd is actually trying to send here?
Comment 2 Daniel Walsh 2009-02-28 12:43:04 UTC 
No the problem is something is running as initrc_t.  Did you add a new network manager script launched by dbus that is not running as NetworkManager_t but as initrc_t.
Comment 3 Dan Williams 2009-03-02 19:35:13 UTC 
(In reply to comment #2)
> No the problem is something is running as initrc_t.  Did you add a new network
> manager script launched by dbus that is not running as NetworkManager_t but as
> initrc_t.

Nothing new; but for PPTP, 3G, and PPPoE, NM executes 'pppd' with a custom plugin, and pppd would then load that plugin (it's a .so though not a script) when the PPP connection comes up.  That's all the interaction NM has with pppd; pppd should only be loading the .so which then uses D-Bus to talk back to NM.  No scripts should be involved.
Comment 4 Andrew Hecox 2009-03-02 20:12:09 UTC 
fwiw, the alert is generated when I (physically) remove the device.
Comment 5 Daniel Walsh 2009-03-03 03:10:18 UTC 
Andrew

what does ps -eZ | grep initrc_t show?
Comment 6 Andrew Hecox 2009-03-03 03:47:54 UTC 
nothing, initially. running in a loop and pulling out the card (when I originally noticed the sealert) provides:

$ while : ; do ps -eZ | grep initrc_t; sleep 1; done
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a
system_u:system_r:initrc_t:s0    3271 ?        00:00:00 nm-dispatcher.a

until I re-insert the card.
Comment 7 Dan Williams 2009-03-03 04:29:16 UTC 
Seems normal; /usr/libexec/nm-dispatcher.action will run when devices go up or down.  But AFAIK, that shouldn't have anything to do with 'ppp' at all, unless one of the scripts that some package drops into /etc/NetworkManager/dispatcher.d pokes pppd.
Comment 8 Daniel Walsh 2009-03-03 18:10:36 UTC 
Which process is kicking off the /usr/libexec/nm-dispatcher.action? udev?
Comment 9 Dan Williams 2009-03-03 18:47:35 UTC 
dbus service activation kicks off nm-dispatcher.action in response to a method call from NM.
Comment 10 Daniel Walsh 2009-03-03 20:41:15 UTC 
Fixed in selinux-policy-3.6.7-1.fc11