Bug 495696

Summary: SELinux is preventing nm-system-setti (system_dbusd_t) "getsched" to <Unknown> (system_dbusd_t).
Product: Red Hat Enterprise Linux 5 Reporter: jescobed
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED CURRENTRELEASE QA Contact: desktop-bugs <desktop-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 5.3CC: dwalsh, mishu, philip.r.schaffner, sleepylight
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-12 22:22:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jescobed 2009-04-14 13:05:15 UTC
Description of problem:
Summary:

SELinux is preventing nm-system-setti (system_dbusd_t) "getsched" to <Unknown>
(system_dbusd_t).

Detailed Description:

SELinux denied access requested by nm-system-setti. It is not expected that this
access is required by nm-system-setti and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t
Target Context                system_u:system_r:system_dbusd_t
Target Objects                None [ process ]
Source                        nm-system-setti
Source Path                   /usr/sbin/nm-system-settings
Port                          <Unknown>
Host                          a202678-jps
Source RPM Packages           NetworkManager-0.7.0-4.el5_3
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     a202678-jps
Platform                      Linux a202678-jps 2.6.18-128.1.6.el5xen #1 SMP Tue
                              Mar 24 12:28:27 EDT 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Wed 08 Apr 2009 12:51:20 PM CDT
Last Seen                     Tue 14 Apr 2009 02:16:13 AM CDT
Local ID                      048dcf5f-3439-43c3-9b22-df9d2f3463c2
Line Numbers                  

Raw Audit Messages            

host=a202678-jps type=AVC msg=audit(1239693373.454:2958): avc:  denied  { getsched } for  pid=9074 comm="nm-system-setti" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process

host=a202678-jps type=SYSCALL msg=audit(1239693373.454:2958): arch=c000003e syscall=145 success=no exit=-13 a0=2372 a1=2b674c9046e0 a2=d a3=3cef616280 items=0 ppid=1 pid=9074 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:system_dbusd_t:s0 key=(null)





Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Maxwell Bottiger 2009-06-22 19:09:08 UTC
I am also seeing this report from selinux.  The context of mine however is different.


Summary:

SELinux is preventing nm-system-setti (NetworkManager_t) "read write"
system_dbusd_t.

Detailed Description:

SELinux denied access requested by nm-system-setti. It is not expected that this
access is required by nm-system-setti and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Objects                socket [ tcp_socket ]
Source                        nm-system-setti
Source Path                   /usr/sbin/nm-system-settings
Port                          <Unknown>
Host                          blackula.jive-turkey.net
Source RPM Packages           NetworkManager-0.7.1-4.git20090414.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-45.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     blackula.jive-turkey.net
Platform                      Linux blackula.jive-turkey.net
                              2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27
                              17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 17 Jun 2009 08:49:25 PM EDT
Last Seen                     Mon 22 Jun 2009 02:57:07 PM EDT
Local ID                      92764a79-e61c-4784-b212-86f35802bee1
Line Numbers                  

Raw Audit Messages            

node=blackula.jive-turkey.net type=AVC msg=audit(1245697027.192:31279): avc:  denied  { read write } for  pid=2610 comm="nm-system-setti" path="socket:[8532]" dev=sockfs ino=8532 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket

node=blackula.jive-turkey.net type=SYSCALL msg=audit(1245697027.192:31279): arch=c000003e syscall=59 success=yes exit=0 a0=6479e0 a1=647930 a2=647010 a3=65732d6d65747379 items=0 ppid=2609 pid=2610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)

Comment 2 Dan Williams 2009-11-12 21:29:34 UTC
What selinux-policy and selinux-policy-targeted packages do you have installed?

Comment 3 Daniel Walsh 2009-11-12 22:22:19 UTC
Maxwell you are reporting an F11 problem on a RHEL5 bug.  

jescobed please update to the 5.4 policy.


Both of you are out of date with the current patch set.

Maxwell run yum update

jescobed you need to get to 5.4