Bug 567665

Summary: SELinux is preventing /usr/libexec/nm-dhcp-client.action "getsched" access .
Product: [Fedora] Fedora Reporter: Michal Schmidt <mschmidt>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 13CC: dwalsh, emanwesk-2, mgrepl, tcameron, tc
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:aa30c7ee6822842f456e8d9505a95cfa35f86971ac2568fa434d54552a943f75
Fixed In Version: selinux-policy-3.6.32-92.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-08 11:16:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output of requested commands. none

Description Michal Schmidt 2010-02-23 15:36:23 UTC 
Souhrn:

SELinux is preventing /usr/libexec/nm-dhcp-client.action "getsched" access .

Podrobný popis:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by nm-dhcp-client.. It is not expected that this
access is required by nm-dhcp-client. and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                system_u:system_r:dhcpc_t:s0
Kontext cíle                 system_u:system_r:dhcpc_t:s0
Objekty cíle                 None [ process ]
Zdroj                         nm-dhcp-client.
Cesta zdroje                  /usr/libexec/nm-dhcp-client.action
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          NetworkManager-0.8.0-0.4.git20100211.fc13
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.9-4.fc13
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux leela 2.6.33-0.52.rc8.git6.fc13.x86_64 #1
                              SMP Tue Feb 23 04:52:05 UTC 2010 x86_64 x86_64
Počet upozornění           99
Poprvé viděno               Po 22. únor 2010, 14:29:02 CET
Naposledy viděno             Út 23. únor 2010, 16:06:35 CET
Místní ID                   805e6459-1d27-4911-aeb1-219f5d27aca1
Čísla řádků              

Původní zprávy auditu      

node=leela type=AVC msg=audit(1266937595.993:15): avc:  denied  { getsched } for  pid=1861 comm="nm-dhcp-client." scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process

node=leela type=SYSCALL msg=audit(1266937595.993:15): arch=c000003e syscall=143 success=yes exit=0 a0=745 a1=7f8739d2bd38 a2=7fff3bc96bd0 a3=7fff3bc96aa0 items=0 ppid=1859 pid=1861 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null)



Hash String generated from  catchall,nm-dhcp-client.,dhcpc_t,dhcpc_t,process,getsched
audit2allow suggests:

#============= dhcpc_t ==============
allow dhcpc_t self:process getsched;
Comment 1 Daniel Walsh 2010-02-23 16:27:59 UTC 
Fixed in selinux-policy-3.7.10-2.fc13.noarch
Comment 2 Fedora Update System 2010-02-23 16:29:37 UTC 
selinux-policy-3.7.10-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/F13/FEDORA-2010-2622
Comment 3 Fedora Update System 2010-02-23 20:58:18 UTC 
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
Comment 4 Fedora Update System 2010-02-23 21:07:33 UTC 
selinux-policy-3.7.10-3.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/F13/FEDORA-2010-2622
Comment 5 Fedora Update System 2010-02-24 08:04:58 UTC 
selinux-policy-3.7.10-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Ray Evans 2010-02-25 10:21:17 UTC 
Daniel I can repro this one with selinux-policy-3.7.10-3.fc13.noarch. If selinux is in enforcing targeted, this precludes eth0 eth1 and so on from connecting to my LAN.  I have to setenforce 0 to get online.
Comment 7 Daniel Walsh 2010-02-25 13:44:34 UTC 
Ray are you sure you are getting the same AVC?

ausearch -m avc -ts recent

rpm -q selinux-policy
selinux-policy-3.7.10-3.fc13.noarch

sesearch -A -s dhcpc_t -p getsched
Found 1 semantic av rules:
   allow dhcpc_t dhcpc_t : process { fork sigchld sigkill sigstop signull signal ptrace getsched getcap setcap setfscreate } ;
Comment 8 Michal Schmidt 2010-02-25 22:41:47 UTC 
selinux-policy-3.7.10-4.fc13.noarch

time->Thu Feb 25 23:30:10 2010
type=SYSCALL msg=audit(1267137010.324:18011): arch=c000003e syscall=143 success=yes exit=0 a0=831 a1=7f98ee681d38 a2=7ffffbd03fe0 a3=1 items=0 ppid=1 pid=2097 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="plymouthd" exe="/sbin/plymouthd" subj=system_u:system_r:plymouthd_t:s0 key=(null)
type=AVC msg=audit(1267137010.324:18011): avc:  denied  { getsched } for  pid=2097 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=process
----
time->Thu Feb 25 23:31:26 2010
type=SYSCALL msg=audit(1267137086.910:5): arch=c000003e syscall=143 success=yes exit=0 a0=505 a1=7f1048ca2d38 a2=7fff8d8e5a70 a3=1 items=0 ppid=1283 pid=1285 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modem-manager" exe="/usr/sbin/modem-manager" subj=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267137086.910:5): avc:  denied  { getsched } for  pid=1285 comm="modem-manager" scontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Feb 25 23:32:22 2010
type=SYSCALL msg=audit(1267137142.824:14): arch=c000003e syscall=143 success=yes exit=0 a0=727 a1=7fa073c6dd38 a2=7fffe415a2e0 a3=7fffe415a1e0 items=0 ppid=1824 pid=1831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1267137142.824:14): avc:  denied  { getsched } for  pid=1831 comm="nm-dhcp-client." scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process
Comment 9 Michal Schmidt 2010-02-25 22:43:54 UTC 
'sesearch -A -s dhcpc_t -p getsched' does not find anything here.
Comment 10 Ray Evans 2010-02-25 23:36:53 UTC 
Created attachment 396431 [details]
Output of requested commands.
Comment 11 Ray Evans 2010-02-25 23:47:17 UTC 
Installed 3.7.10-4  now the leaked to /tmp/randomness reappears but at least my network (LAN-Ethernet) works again.

rpm -qa selinux*
selinux-policy-3.7.10-4.fc13.noarch
selinux-policy-targeted-3.7.10-4.fc13.noarch
[root@THOR jag]# ausearch -m avc -ts recent
----
time->Thu Feb 25 15:41:17 2010
type=SYSCALL msg=audit(1267141277.554:39): arch=c000003e syscall=59 success=yes exit=0 a0=178fb50 a1=178a550 a2=1789e30 a3=b8 items=0 ppid=2016 pid=2018 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267141277.554:39): avc:  denied  { append } for  pid=2018 comm="semodule" path="/tmp/tmpbeObVW" dev=sdb2 ino=9037 scontext=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file                                                                                                                          
----                                                                                                                                                                                    
time->Thu Feb 25 15:41:20 2010                                                                                                                                                          
type=SYSCALL msg=audit(1267141280.389:41): arch=c000003e syscall=59 success=yes exit=0 a0=f54720 a1=f53e70 a2=f571e0 a3=8 items=0 ppid=2027 pid=2050 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)                                     
type=AVC msg=audit(1267141280.389:41): avc:  denied  { read append } for  pid=2050 comm="restorecon" path="/tmp/tmpbeObVW" dev=sdb2 ino=9037 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
Comment 12 Fedora Update System 2010-02-26 03:45:10 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
Comment 13 Ray Evans 2010-02-26 08:46:33 UTC 
Fedora Update System seems to have temporarily lost it's way.   This is an F13 bug and it's suggesting an F12 update.
Comment 14 Miroslav Grepl 2010-02-26 09:24:09 UTC 
Oops, my fault. I put this bug number to the bug list while I was creating new update for F12.
Comment 15 Daniel Walsh 2010-02-26 15:56:34 UTC 
The rpm_tmp_t append fix will be 

	Fixed in selinux-policy-3.7.10-5.fc13.noarch
Comment 16 Fedora Update System 2010-03-04 00:13:48 UTC 
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Michal Schmidt 2010-03-07 07:48:08 UTC 
I still get this denial regularly.

type=SYSCALL msg=audit(1267946601.582:19489): arch=c000003e syscall=143 success=yes exit=0 a0=777 a1=7fd0817b1d38 a2=7ffff5ed3c90 a3=7ffff5ed3b90 items=0 ppid=1909 pid=1911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null)

type=AVC msg=audit(1267946601.582:19489): avc:  denied  { getsched } for  pid=1911 comm="nm-dhcp-client." scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process

$ rpm -q NetworkManager ModemManager selinux-policy
NetworkManager-0.8.0-0.4.git20100211.fc13.x86_64
selinux-policy-3.7.11-1.fc13.noarch
Comment 18 Daniel Walsh 2010-03-07 13:49:19 UTC 
# audit2allow -i /tmp/t 


#============= dhcpc_t ==============
#!!!! This avc is allowed in the current policy

allow dhcpc_t self:process getsched;


Are you sure something did not go wrong on update.

# yum reinstall selinux-policy-targeted

Then execute

# sesearch -A -s dhcpc_t -p getsched
Found 1 semantic av rules:
   allow dhcpc_t dhcpc_t : process { fork sigchld sigkill sigstop signull signal ptrace getsched getcap setcap setfscreate } ;
Comment 19 Michal Schmidt 2010-03-08 11:16:42 UTC 
Dan,
you're right. Something did go wrong during the update:

libsepol.print_missing_requirements: icecream's global requirements were not met: type/attribute etcfile (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

After I removed the icecream package and then manually removed all traces of its SELinux parts (port definitions and a policy module), I was able to reinstall selinux-policy-targeted without errors and now sesearch is able to find the getsched rule.

Closing this bug again, because the upgrade bug was a fault of the icecream package (which I maintain).