Bug 557529

Fresh fc12 install, rtl8187 wireless was working fine for 2days began adding software-added vlc media player(doubt is the problem) rebooted and now wireless will no longer located cloud networks

restorecon -R -v /var/lib

Will fix.  But I would like to know what removed the /var/lib/NetworkManager directory.

fresh f12 install, message didn't appear on first 2 boots, i then updated using yum and then this error message started appearing on boot as soon as networkmanager is started, and sealert then appears when you get to the desktop
if i can help with debugging let me know

phil

I guess I want to see it happen again.  IE the directory get mislabeled again.

The version of policy you installed, runs restorecon -R -v /var/lib in its post.  So it should have cleaned up any mislabeled dir.  If NetworkManager installed afterward with a new use of /var/lib/NetworkManager, it should have gotten labeled correctly when the dir got created.

if it's any help these were installed in the update

Jan 21 13:05:30 Updated: 1:NetworkManager-0.7.997-2.git20091214.fc12.x86_64
Jan 21 13:05:53 Updated: 1:NetworkManager-gnome-0.7.997-2.git20091214.fc12.x86_64
Jan 21 12:53:38 Updated: 1:NetworkManager-glib-0.7.997-2.git20091214.fc12.x86_64

phil

Created attachment 386045 [details]
yum update log from fresh install to todays updates @ ~ 1pm UK time

yum log to see order packages were installed

Thanks but I don't see how this can happen, unless there is a rogue script that is 

rm -rf /var/lib/NetworkManager
mkdir /var/lib/NetworkManager

This is from a newly installed system, literally up for about 5 minutes, shortly after the first time I log into GNOME.

Is there other info from the machine that I could send that would help?

Joshua

I guess if it happens again, we will know there a processes that is removing and recreating the directory.

I ran two tests.

# chcon -t var_lib_t /var/lib/NetworkManager
# yum -y reinstall selinux-policy-targeted
# ls -lZd /var/lib/NetworkManager/
drwxr-xr-x. root root system_u:object_r:NetworkManager_var_lib_t:s0 /var/lib/NetworkManager/

# rm -rf /var/lib/NetworkManager
# yum -y reinstall NetworkManager 
# ls -lZd /var/lib/NetworkManager/
drwxr-xr-x. root root system_u:object_r:NetworkManager_var_lib_t:s0 /var/lib/NetworkManager/

I am at a loss.

*** Bug 557778 has been marked as a duplicate of this bug. ***

I have just power on my computer, and Selinux was configured in "strict" mode. I've full of message from Selinux before to change the mode in permissive to be quite.

Belenos06, Could you make sure your machine is labeled correctly 

touch /.autorelabel; reboot

*** Bug 558609 has been marked as a duplicate of this bug. ***

Also on a fresh F12 install here. yum.log says:

# grep NetworkManager-0 /var/log/yum.log |grep Updated
Jan 24 15:50:26 Updated: 1:NetworkManager-0.7.997-2.git20091214.fc12.x86_64
# grep selinux /var/log/yum.log |grep Updated
Jan 24 15:13:29 Updated: selinux-policy-3.6.32-69.fc12.noarch
Jan 24 15:28:37 Updated: selinux-policy-targeted-3.6.32-69.fc12.noarch

Problem is triggered for me on a resume.

I have this problem both in Fedora 32 bits and 64 bits. 

Model: Toshiba Satellite T110
Videocard: Mobile Intel® GMA 4500
Network: Atheros AR8132 PCI-EFast Ethernet Controller (NDIS 6.20)
Wifi: IRealtek RTL8191SE Wireless LAN 802.11n PCI-E NIC (Hardware ID: pci\ven_10ec&dev_8172)0
Bluetooth: (Not Working) Bluetooth ACPI -> Toshiba
Webcam: Chicony
Brigtness controls not working
Display:1366x768

If you run restorecon -R -v /var/lib

Does the problem come back?

No, that works around it okay, but it doesn't fix the bug :(

Let me restate the bug as I understand it.

For some reason on an initial install of F12 and running updates, /var/lib/NetworkManager ends up labeled var_lib_t instead of NetworkManager_var_lib_t.

Running restorecon fixes the problem.

The question I have and have had is,  Has anyone seen the problem come back after the labeling was fixed?

Also have this bug. 

I used # restorecon -R -v /var/lib

but had later on at restart of ndiswrapper wlan and complete network (wired)
failed to start. 

After several renames and reboots got it working again. But I still have this
bug with network manager.    


As I'm pretty new what exactly is restorecon doing?

well i installed f12 to a new lappy and the bug appeared as expected but running restorecon has fixed it, also as expected, i've yet to see it reappear on the first machine i reported on or on this machine, i think it's a one time only problem daniel

(In reply to comment #20)
> 
> 
> As I'm pretty new what exactly is restorecon doing?   

http://linux.die.net/man/8/restorecon

I am experiencing the same issue here. It started after an update yesterday 29th January. This has only appeared after a shutdown and startup.

I have a total of 5 messages in the SeLinux reporter and they all seem to be related.

Selinux detected the same "suspicious behaviour" 10 times between Jan. 26 (the day that my Fedora 12 installation was completed with TeXmaker, Thunderbird, Tellico and GRAMPS) and Jan 20. Today I have found the 10 alerts when turning the computer on.
I'll try the suggestion by Daniel Walsh as soon as the misbehaviour reappears, and will let yoy know.

In comment 24 I meant Jan. 29, not Jan. 20.
Anyhow, I made three boots today, and nothing happened. So I did not run restorecon, only checked the NetworkManager labeling:

[fcc@euclide ~]$ ls -Z /var/lib/NetworkManager
-rw-r--r--. root root system_u:object_r:NetworkManager_var_lib_t:s0 NetworkManager.state

Whenever anything was wrong (but I do not know whether this was the case) the system healed himself spontaneously. Strange behaviour indeed.

*** Bug 560283 has been marked as a duplicate of this bug. ***

Same SELinux policy problem. On Fedora 12 x64 with latest updates.

Fedora 12 x64 latest updates.

# ls -Z /var/lib/NetworkManager
-rw-r--r--. root root system_u:object_r:NetworkManager_var_lib_t:s0 NetworkManager.state


# restorecon -R -v /var/lib didn't helped.

filadel, what avc are you seeing then?

I am seeing this on F12 32bit machine.

restorecon -R -v /var/lib doesn't work for me either.

Every login I see a pop up:

SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkManager.state.xxxxxx

In the troubleshooting browser nothing because I made the mistake of checking the stop bothering me box and now just get No alerts to view. From the docs I read I should be able to un-check that box and receive the errors again however that doesn't appear to be the case. I am not sure if htat is another bug or working as intended.

Could you login as root and get the output of

ausearch -m avc -ts recent

You can also remove the ~/.setroubleshoot from your home dir to remove the dontbother me stuff.

running the command as root returns <no matches>

I removed the .setroubleshoot and rebooted and got this 


Summary:

SELinux is preventing /usr/sbin/NetworkManager "create" access on
NetworkManager.state.HF876U.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                NetworkManager.state.HF876U [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          black10
Source RPM Packages           NetworkManager-0.7.997-2.git20091214.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-69.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     black10
Platform                      Linux black10 2.6.31.12-174.2.3.fc12.i686.PAE #1
                              SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Fri 05 Feb 2010 10:04:50 PM EST
Last Seen                     Fri 05 Feb 2010 10:04:50 PM EST
Local ID                      13eaf0ee-401c-4540-91d8-d5fed1c9b624
Line Numbers                  

Raw Audit Messages            

node=black10 type=AVC msg=audit(1265425490.902:6): avc:  denied  { create } for  pid=1176 comm="NetworkManager" name="NetworkManager.state.HF876U" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=black10 type=SYSCALL msg=audit(1265425490.902:6): arch=40000003 syscall=5 success=no exit=-13 a0=a0a3438 a1=80c2 a2=1b6 a3=20 items=0 ppid=1175 pid=1176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

What does 
# restorecon -R -v /var/lib 
output

What does 

ls -lZd /var/lib/NetworkManager

output?

This avc says it was last seen on 2/5  Did you run restorecon before this? or after this?

*** Bug 563084 has been marked as a duplicate of this bug. ***

Fixed in setroubleshoot-2.2.63-1.fc12       
yum update setroubleshoot\* --enablerepo=updates-testing

NetworkManager-1:0.7.997-2.git20091214 contains a new /var/lib/NetworkManager but does not set the SELinux context to NetworkManager_var_lib_t (it ends up as var_lib_t instead)

This can be fixed with restorecon

See: http://koji.fedoraproject.org/koji/rpminfo?fileStart=150&rpmID=1726300&fileOrder=name&buildrootOrder=-id&buildrootStart=0#filelist

The second to last file is the new /var/lib/NetworkManager

restorecon does not fix the problem (not for me anyway).

What does 
# restorecon -R -v /var/lib 
output

nothing except the command prompt after about 3 seconds.

updated to setroubleshoot-2.2.63-1.fc12 and the error is gone.

I didn't mess with networkmanager.

Installing selinux-policy-targeted-3.6.32-78 resolves the problem with the SELinux context of /var/lib/NetworkManager and should resolve this bug.

Anyone still seeing this problem after installing the latest selinux-policy should look carefully to be sure they are not seeing OLD avc messages.

Also, this bug is a dup of Bug 560317 (actually, it is a dup of this bug, but it already has a solution applied)

Yes, Jeff, but how do we get the sealert pop-up box from showing up on every bootup alerting us to the OLD messages?

Deleting the messages did not stop the warning on my system.
It only means that when you click "Show", you get an empty list.

Phil V: setroubleshoot-2.2.63-1.fc12 fixes that issue.

yum update setroubleshoot\* --enablerepo=updates-testing or wait for it to be pushed to stable.

If you do install the the test update, add a comment on bodhi to let us know if it resolved the issue for you.  This can speed up the push to stable.

https://admin.fedoraproject.org/updates/F12/FEDORA-2010-1591?_csrf_token=8f74964da5b17d39751f0cce78ffd6e4d591246d

Setting status to ON_QA as we wait for the latest setroubleshoot package to hit stable.

setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1591

I followed Comment 40 but at least on immediate reboot the problem persists.
Maybe deleting the alerts with the buggy gui put the system in a strange state? 
(The first time I attempted to delete them I backtracked through the list and found every other alert had the delete checkbox cleared... suggesting something peculiar going on.) is there a file I could just rename or move that would clear this?  

My Installed Packages:
Name       : setroubleshoot
Arch       : x86_64
Version    : 2.2.63
Release    : 1.fc12
Size       : 235 k
Repo       : installed

Name       : setroubleshoot-plugins
Arch       : noarch
Version    : 2.1.40
Release    : 1.fc12
Size       : 3.9 M
Repo       : installed

Name       : setroubleshoot-server
Arch       : x86_64
Version    : 2.2.63
Release    : 1.fc12
Size       : 1.1 M
Repo       : installed

rm -f ~/.setroubleshootrc

Hurrah! Problem is completely solved on my systems.
Thank you for the help!

 rm -f ~/.setroubleshootrc 
removed the senseless warnings recorded in Comment 39.

(for the record that file was something like an empty line followed by a option=value pair with empty value)

setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

I had no problems with NetworkManager, but after install the rpm's today, I received 46 duplicate errors of this bug.  I have a fresh F12 install and use a wireless connection.

Greg Ennis

Here is what I installed this afternoon :

Mar 07 15:44:12 Installed: live555-0-0.24.2009.07.28.fc12.i686
Mar 07 15:44:15 Installed: libdca-0.0.5-5.fc12.i686
Mar 07 15:44:17 Installed: fribidi-0.19.2-2.fc12.i686
Mar 07 15:44:18 Installed: enca-1.10-1.fc12.i686
Mar 07 15:44:20 Installed: libdvdnav-4.1.4-0.1.svn1184.fc12.i686
Mar 07 15:44:22 Installed: libcaca-0.99-0.9.beta16.fc12.i686
Mar 07 15:44:26 Installed: mplayer-1.0-0.111.20091029svn.fc12.i686
Mar 07 15:44:28 Installed: mencoder-1.0-0.111.20091029svn.fc12.i686
Mar 07 15:44:32 Installed: gnome-mplayer-common-0.9.8-1.fc12.i686
Mar 07 15:44:41 Installed: gnome-mplayer-0.9.8-1.fc12.i686
Mar 07 15:44:45 Installed: gecko-mediaplayer-0.9.8-2.fc12.i686

Greg how is /var/lib/NetworkManager labeled?

ls -ldZ /var/lib/NetworkManager

I did the restorecon command and it went to the next prompt. I then used the command to find out how it was labeled and this is what I discovered.  I am asumming this is the right forum.  i am very new to Linux.

[root@fedora Reykvid]# restorecon -R -v var/lib
[root@fedora Reykvid]# ls -ldZ /var/lib/NetworkManager
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0   /var/lib/NetworkManager

Nope that is wrong.

Are you sure you have the correct policy installed.

yum reinstall selinux-policy-targeted
rpm -q selinux-policy-targeted

I did the yum reinstall selinux-policy-targeted.  This is the result I got.



Installed:
  selinux-policy-targeted.noarch 0:3.6.32-103.fc12                              

Complete!
[root@fedora Reykvid]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.32-103.fc12.noarch


Is this correct?

matchpathcon /var/lib/NetworkManager

restorecon -R -v /var/lib/NetworkManager

I did the matchpathcon and restorecon steps. This is the results on my screen.


[root@fedora Reykvid]# matchpathcon /var/lib/NetworkManager
/var/lib/NetworkManager	system_u:object_r:NetworkManager_var_lib_t:s0
[root@fedora Reykvid]# restorecon -R -v /var/lib/NetworkManager
[root@fedora Reykvid]# 



I will await further instructions.

That is correct label.   You should not see the AVC anymore.

Thank you so much for your help.  I really appreciate you walking me through this process.