Bug 560317
| Summary: | SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkManager.state.5ACA7U. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Plsek <plsek_martin> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | adamkromm, akinmeric, alexandre_rj, alix.liaroutzos, alizaheer4u, ameya.tonde, aucuga, a-zhurkin84, bbiel, bjbiggens, blaplante1949, boeuf32, cameron, chlee.tw, crozes.kevin, daustmann, dc_jjkenney, dfarmernv, didierg-divers, dmatejic, dwalsh, famm94, fischer.d.r, flbrasov, flhtcu91, franck.thieblemont, gbarton64, gekl3645, glacius06, gmpa273, gniew_amo, gregory.lee.bartholomew, hmr076, hpinta15, htraki, imrohit, info, iputica, jon.dufresne, jonemilj, lgraves, lorick6, loup.des.neiges, Mack.Jins, mark, maxime.etienne, mgrepl, mhmt.cakir, michkin_a, mjmarion, mordocai, plsek_martin, redhatbugzilla, ricardo.arguello, rita.heinrich, rovellipaolo, scbowen, sean.settle, simon.teague, tanchongyew, tapiae, tgrondin, thaba, tonyc, upgradeservices, wasohernandez, wj41, xycaleth, zimuyeung |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:06091c67a15ce40176ebf372bd906f05f4273c37b9b71279a1fceb3fdf6d95f7 | ||
| Fixed In Version: | 2.2.63-2.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-02-11 14:44:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Martin Plsek
2010-01-30 23:44:48 UTC
restorecon -R -v /var/lib Will fix. Are you using ndiswrapper? Hi, /var/lib relabeled -> I'll verify after next reboot. I am not sure about ndiswrapper, just freshly installed F12. Generally no installation of ndiswrapper was done by me, also on this desktop computer I am not using wireless connection. I'm seeing this after a clean install of F12 with updates enabled during the install. I'm pretty sure that this is a bug, though it may not be in selinux-policy. Yes we know the directory is getting mislabeled. The problem is figuring on initial install. But updated selinux policy package is supposed to fix the label by running restorecon -R -v /var/lib in the post install. The question remains, does anyone see this come back or does it only happen on fresh installs. It happens on a fresh install if I have the updates repository selected, so 3.6.32-78 was the first version installed and there's nothing newer in the repositories. Thanks, that gave me a clue of whats broken. We were only fixing the label on an update of selinux-policy, not the initial install. I think with the way you were installing it, the label was wrong in anaconda when NetworkManager gets installed, then the selinux-policy gets installed, it sees itself as the first and does not do the restorecon /var/lib leaving you in the bad state. This should be fixed in selinux-policy-3.6.32-84 selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492 Hi all, just to update - the restorecon -Rv /var/lib didn't help at the execution time. Currently the exactly same problem doesn't appear, but some selinux warnings aftrer reboot are still displayed (when I want to check it, nothing appears in the selinux window) Unfortunatelly at the moment my installation became very unstable, requiring reboot after each few hours, so I am not able to check more (at the moment can't even open terminal or switch to other tty) As root you can execute ausearch -m avc -ts recent This should show you all the recent avc messages. the error occurs after restorecon -R -v /var/lib . Below are the details. This happens on a freshly installed (from custom spin) & updated machine. Summary: SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkManager.state.TDML7U. Detailed Description: SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects NetworkManager.state.TDML7U [ file ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host (removed) Source RPM Packages NetworkManager-0.7.997-2.git20091214.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux localhost.localdomain 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 04 Feb 2010 08:57:06 AM CET Last Seen Thu 04 Feb 2010 08:57:06 AM CET Local ID e3a1beb5-0138-453e-abe8-2f0481c04098 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1265270226.56:6): avc: denied { create } for pid=970 comm="NetworkManager" name="NetworkManager.state.TDML7U" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1265270226.56:6): arch=c000003e syscall=2 success=no exit=-13 a0=1438020 a1=c2 a2=1b6 a3=4d6b726f7774654e items=0 ppid=969 pid=970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) Are you sure? Last Seen Thu 04 Feb 2010 08:57:06 AM CET This has not happened since last Thursday? setroubleshoot has a bug that complains about old alerts when you login. Fixed in setroubleshoot-2.2.63-1.fc12 yum update setroubleshoot\* --enablerepo=updates-testing I can confirm that the setroubleshoot-2.2.63-1.fc12 update resolved the issue for me. Doing restorecon -R -v /var/lib seems to have fixed it for me. setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update setroubleshoot'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1591 selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |