Bug 571274
| Summary: | SELinux is preventing /usr/libexec/nm-openconnect-service "create" access . | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Arnold Wang <arnold.x.wang> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | auroux, dwalsh, jan.public, mgrepl, mh, paul.kimball, plug.gulp, robdale |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:bd3ebe626cfee9dc1887d1f9debf693e169a0df598a861815c61151408d84783 | ||
| Fixed In Version: | selinux-policy-3.6.32-106.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-03-30 02:10:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Arnold Wang
2010-03-07 23:33:08 UTC
allow NetworkManager_t self:tun_socket create_socket_perms; Fixed in selinux-policy-3.6.32-100.fc12 When selinux-policy-3.6.32-100.fc12 will be available? I just checked now and only 3.6.32-99.fc12 available from update. Can I manually download it somewhere?
Thanks.
BTW, audit2allow generate the following, just fyi.
-bash-4.0# audit2allow -alr
require {
type vpnc_t;
type NetworkManager_t;
class tun_socket { relabelfrom relabelto create };
}
#============= NetworkManager_t ==============
allow NetworkManager_t self:tun_socket create;
#============= vpnc_t ==============
allow vpnc_t NetworkManager_t:tun_socket relabelfrom;
allow vpnc_t self:tun_socket relabelto;
I am going to push out a new update today. You can download selinux-policy packages from koji. http://koji.fedoraproject.org/koji/buildinfo?buildID=161507 selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12 I installed selinux-policy-3.6.32-103.fc12 from koji and it fixed the openvonnect problem. Thanks. Please update the karma by adding a comment at the link above. selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12 This doesn't fix the problem, as pointed out in comment #3 there's also some additional permissions needed -- after upgrading to 3.6.32-103.fc12 there's still at least a relabelfrom permission missing. Summary: SELinux is preventing /usr/libexec/nm-openconnect-service "relabelfrom" access . Detailed Description: SELinux denied access requested by nm-openconnect-. It is not expected that this access is required by nm-openconnect- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:system_r:NetworkManager_t:s0 Target Objects None [ tun_socket ] Source nm-openconnect- Source Path /usr/libexec/nm-openconnect-service Port <Unknown> Host auroux-X200T.mxk.edu Source RPM Packages NetworkManager- openconnect-0.7.996-4.git20090921.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-103.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name auroux-X200T.mxk.edu Platform Linux auroux-X200T.mxk.edu 2.6.32.9-70.fc12.i686.PAE #1 SMP Wed Mar 3 04:57:21 UTC 2010 i686 i686 Alert Count 2 First Seen Thu 18 Mar 2010 09:29:35 PM PDT Last Seen Thu 18 Mar 2010 10:25:29 PM PDT Local ID 5d7c0450-9055-42ed-84d2-0f884aed5e49 Line Numbers Raw Audit Messages node=auroux-X200T.mxk.edu type=AVC msg=audit(1268976329.5:41): avc: denied { relabelfrom } for pid=2418 comm="nm-openconnect-" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=tun_socket node=auroux-X200T.mxk.edu type=SYSCALL msg=audit(1268976329.5:41): arch=40000003 syscall=54 success=no exit=-13 a0=4 a1=400454ca a2=bff928ec a3=bff928ec items=0 ppid=1371 pid=2418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-openconnect-" exe="/usr/libexec/nm-openconnect-service" subj=system_u:system_r:NetworkManager_t:s0 key=(null) I wonder if /usr/libexec/nm-openconnect-service should be labeled vpnc_exec_t. In policy we added allow vpnc_t NetworkManager_t:tun_socket relabelfrom; Now your system is complaining about allow NetworkManager_t NetworkManager_t:tun_socket relabelfrom; If you chcon -t vpnc_exec_t /usr/libexec/nm-openconnect-service, does the AVC go away? Just a fyi that "selinux-policy-targeted-3.6.32-103.fc12.noarch" did fix my problem, without changing the label for nm-openconnect-service. [awang@arnoldw-lt Desktop]$ ls -lZ /usr/libexec/nm-openconnect-service -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/libexec/nm-openconnect-service [awang@arnoldw-lt Desktop]$ getenforce Enforcing [awang@arnoldw-lt Desktop]$ rpm -q selinux-policy-targeted selinux-policy-targeted-3.6.32-103.fc12.noarch The relabel doesn't seem to help in my case: then I get new issues, see below.
(Maybe my case is different from Arnold's in that I'm trying to connect to an openconnect VPN with several authentication groups. Or maybe I'm just plain doing something wrong. Don't mind me if it works for everyone else.)
SELinux is preventing /sbin/modprobe "read" access on /etc/modprobe.d.
node=auroux-X200T.mxk.edu type=AVC msg=audit(1269022168.786:149): avc: denied { read } for pid=7693 comm="modprobe" name="modprobe.d" dev=sda5 ino=555974 scontext=unconfined_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir node=auroux-X200T.mxk.edu type=SYSCALL msg=audit(1269022168.786:149): arch=40000003 syscall=5 success=no exit=-13 a0=8059f72 a1=0 a2=1b6 a3=805b429 items=0 ppid=7692 pid=7693 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="modprobe" exe="/sbin/modprobe" subj=unconfined_u:system_r:vpnc_t:s0 key=(null)
#============= vpnc_t ==============
allow vpnc_t modules_conf_t:dir read;
and:
SELinux is preventing /usr/libexec/nm-openconnect-service "relabelfrom" access
node=auroux-X200T.mxk.edu type=AVC msg=audit(1269022168.790:151): avc: denied { relabelfrom } for pid=7692 comm="nm-openconnect-" scontext=unconfined_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=tun_socket node=auroux-X200T.mxk.edu type=SYSCALL msg=audit(1269022168.790:151): arch=40000003 syscall=54 success=no exit=-13 a0=3 a1=400454ca a2=bf9ae19c a3=3 items=0 ppid=2877 pid=7692 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nm-openconnect-" exe="/usr/libexec/nm-openconnect-service" subj=unconfined_u:system_r:vpnc_t:s0 key=(null)
#============= vpnc_t ==============
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
allow vpnc_t NetworkManager_t:tun_socket relabelfrom;
(+ same for relabelto)
Denis
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. Denis, the vpnc executing modprobe is going to be a problem. Do you know what it is doing? I'm pretty sure it's not vpnc but rather nm-openconnect-service that's executing modprobe (since the error only happens after relabelling nm-openconnect-service to type vpnc_exec_t). In fact:
[root@auroux-X200T]/usr/libexec# strings nm-openconnect-service |grep modprobe
/sbin/modprobe tun
I've fixed things on my system by returning nm-openconnect-service to its default labelling and making a local sepolicy module. (Half of which is probably not necessary, but I ran out of patience and needed my VPN access to just work).
Denis
module local 1.0;
require {
type vpnc_t;
type NetworkManager_t;
class tun_socket { relabelfrom relabelto };
}
#============= NetworkManager_t ==============
allow NetworkManager_t self:tun_socket relabelto;
allow NetworkManager_t self:tun_socket relabelfrom;
allow NetworkManager_t vpnc_t:tun_socket relabelto;
allow NetworkManager_t vpnc_t:tun_socket relabelfrom;
Ok,
Miroslav can you add relabelfrom to NetworkManager_t
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
And don't change the labels.
Fixed in selinux-policy-3.6.32-106.fc12 selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12 selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12 selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |