| Summary: | SELinux is preventing /usr/sbin/NetworkManager from 'execute_no_trans' accesses on the file /usr/sbin/nscd. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Eric Blake <eblake> |
| Component: | ntp | Assignee: | Miroslav Lichvar <mlichvar> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, mgrepl, mlichvar, pertusus |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:0c1ba24c112266125591c5170693c6fdc51e1f1d879650ce6932dc3f0429a5fa | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-07 11:43:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Any idea why '/usr/sbin/nscd' is labeled as textrel_shlib_t? Did you setup it? Does # restorecon -R -v /usr/sbin/nscd fix the label? In Rawhide right now there is a bug that ntpd is causing execmod access. ntpd needs to be rebuilt, using the newere glibc. (In reply to comment #1) > Any idea why '/usr/sbin/nscd' is labeled as textrel_shlib_t? Yes, because I (blindly) followed advice given by setroubleshoot regarding how to "fix" ncsd demanding execmod access (that is, there were two options; one was changing the label of ncsd to textrel_shlib_t, which I followed because it was on top, and another which I did not follow of adding a rule to avoid the execmod audit message). I have since reverted the label change (changing to textrel_shlib_t was a worse cure than the original disease); but maybe this points to a bug in the setroubleshoot for having provided that suggestion in the first place? Yes I agree that cure was worse then the disease. I will look at the plugin. The plugin should probably check the existin label and only suggest the fix if the label is lib_t. The plugin is fixed to only fire against lib_t in setroubleshoot-plugins-3.0.15. |
SELinux is preventing /usr/sbin/NetworkManager from 'execute_no_trans' accesses on the file /usr/sbin/nscd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that NetworkManager should be allowed execute_no_trans access on the nscd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:textrel_shlib_t:s0 Target Objects /usr/sbin/nscd [ file ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host (removed) Source RPM Packages NetworkManager-0.8.2-6.git20101117.fc15 Target RPM Packages nscd-2.13.90-1 Policy RPM selinux-policy-3.9.13-9.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-0.rc3.git4.1.fc15.i686 #1 SMP Sat Feb 5 02:32:55 UTC 2011 i686 i686 Alert Count 1 First Seen Sat 05 Feb 2011 10:31:12 AM MST Last Seen Sat 05 Feb 2011 10:31:12 AM MST Local ID f6c24074-6696-4243-a965-9ae7cdbc3d72 Raw Audit Messages type=AVC msg=audit(1296927072.974:63): avc: denied { execute_no_trans } for pid=2091 comm="NetworkManager" path="/usr/sbin/nscd" dev=dm-1 ino=29273 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file type=SYSCALL msg=audit(1296927072.974:63): arch=i386 syscall=execve success=no exit=EACCES a0=9ed4960 a1=9ed4890 a2=9ea48c0 a3=9ed4890 items=0 ppid=2019 pid=2091 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: NetworkManager,NetworkManager_t,textrel_shlib_t,file,execute_no_trans audit2allow #============= NetworkManager_t ============== allow NetworkManager_t textrel_shlib_t:file execute_no_trans; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t textrel_shlib_t:file execute_no_trans;