Bug 693581
| Summary: | SELinux is preventing NetworkManager from 'read' accesses on the file n2. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Luya Tshimbalanga <luya> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-07 18:58:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you try to install the latest systemd from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=237547 *** Bug 693579 has been marked as a duplicate of this bug. *** No impact with systemd-23.1. I am trying 24.1 version to see if that solves issue. No effect with systemd-24.1 =( Attempting to use latest koji selinux-policy and systemd still generated alert after reboot. *** This bug has been marked as a duplicate of bug 693247 *** |
Description of problem: ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow NetworkManager to have read access on the n2 file Then you need to change the label on n2 Do # semanage fcontext -a -t FILE_TYPE 'n2' where FILE_TYPE is one of the following: lwregd_t, mysqld_t, kdumpgui_t, oddjob_t, openct_t, svc_start_t, httpd_bugzilla_script_t, fail2ban_t, postfix_bounce_t, passwd_t, selinux_config_t, qdiskd_t, racoon_t, soundd_t, telepathy_stream_engine_t, updpwd_t, httpd_smokeping_cgi_script_t, vnstat_t, nx_server_t, xguest_t, ypbind_t, ypserv_t, zabbix_t, abrt_t, policykit_auth_t, acct_t, ssh_keygen_t, bin_t, brctl_t, cert_t, cgred_t, chfn_t, ciped_t, clamd_t, clogd_t, cupsd_t, dccd_t, dhcpd_t, dictd_t, piranha_pulse_t, drbd_t, ftpd_t, gpsd_t, gssd_t, guest_t, hald_t, howl_t, hplip_t, httpd_t, sysadm_su_t, innd_t, kdump_t, klogd_t, lircd_t, lpd_t, lpr_t, lwiod_t, lwsmd_t, hald_mac_t, iptables_t, mount_t, mpd_t, munin_t, named_t, nfsd_t, nmbd_t, nscd_t, git_shell_t, nslcd_t, ntop_t, ntpd_t, pcscd_t, pingd_t, pppd_t, pptp_t, psad_t, ptal_t, qpidd_t, radvd_t, rhgb_t, cachefilesd_t, rpcd_t, courier_sqwebmail_t, rshd_t, rssh_t, postfix_cleanup_t, sftpd_t, slapd_t, smbd_t, snmpd_t, snort_t, spamd_t, squid_t, ssh_t, sshd_t, sssd_t, postfix_showq_t, staff_t, svirt_t, swat_t, tcpd_t, tcsd_t, tftpd_t, tgtd_t, hostname_t, tor_t, tuned_t, ulogd_t, shorewall_t, uml_t, showmount_t, user_t, usr_t, uucpd_t, uux_t, virsh_t, telepathy_gabble_t, xauth_t, xend_t, ypxfr_t, eventlogd_t, nagios_system_plugin_t, postfix_qmgr_t, postfix_virtual_t, postfix_smtp_t, prelude_audisp_t, dovecot_deliver_t, ifconfig_t, courier_authdaemon_t, afs_vlserver_t, consolekit_var_run_t, fsdaemon_t, openvpn_exec_t, qmail_clean_t, qmail_local_t, qmail_smtpd_t, qmail_start_t, sandbox_xserver_t, jabberd_router_t, policykit_resolve_t, telepathy_sofiasip_t, systemd_notify_t, winbind_helper_t, amanda_t, amavis_t, device_t, load_policy_t, nut_upsmon_t, sssd_public_t, locale_t, locate_t, cupsd_config_t, logadm_t, mcelog_t, nagios_t, hald_keymap_t, httpd_helper_t, varnishd_t, rtkit_daemon_t, setkey_t, sysadm_t, tvtime_t, tzdata_t, vmware_t, webadm_t, afs_t, aiccu_t, aide_t, alsa_t, amtu_t, apm_t, avahi_t, boinc_t, canna_t, ccs_t, cdcc_t, sandbox_min_t, sandbox_net_t, crack_t, sandbox_web_t, cvs_t, user_seunshare_t, cyrus_t, xguest_java_t, dbadm_t, xguest_mono_t, dccm_t, dhcpc_t, dmesg_t, etc_t, exim_t, logwatch_mail_t, abrt_var_run_t, games_t, getty_t, gpg_t, gpm_t, ipsec_t, irc_t, irssi_t, java_t, cupsd_lpd_t, mock_t, mrtg_t, ndc_t, nrpe_t, pads_t, pam_t, postfix_map_t, ping_t, remote_login_t, postfix_postdrop_t, postfix_postqueue_t, proc_t, qemu_t, quota_t, rdisc_t, ricci_t, rsync_t, automount_t, rwho_t, spamc_t, ddclient_t, src_t, sysfs_t, fetchmail_t, vlock_t, vpnc_t, netlogond_t, xdm_t, puppetmaster_t, xfs_t, zebra_t, udev_exec_t, system_mail_t, setroubleshoot_fixit_t, staff_dbusd_t, httpd_squid_script_t, postfix_pipe_t, ifconfig_exec_t, restorecond_t, httpd_nagios_script_t, xdm_dbusd_t, gpg_helper_t, staff_ssh_agent_t, systemd_passwd_agent_t, NetworkManager_exec_t, afs_fsserver_t, portreserve_t, cpufreqselector_t, readahead_t, prelink_cron_system_t, named_cache_t, sysadm_ssh_agent_t, system_cronjob_var_lib_t, cachefiles_kernel_t, httpd_dirsrvadmin_script_t, staff_screen_t, system_dbusd_t, entropyd_t, git_system_t, httpd_suexec_t, xenstored_t, abrt_helper_t, sandbox_min_client_t, policykit_var_lib_t, rssh_chroot_helper_t, usernetctl_t, certwatch_t, sysctl_crypto_t, updfstab_t, cpuspeed_t, NetworkManager_tmp_t, nagios_admin_plugin_t, user_dbusd_t, krb5_conf_t, qmail_splogger_t, xguest_dbusd_t, cups_pdf_t, firewallgui_t, freshclam_t, ajaxterm_ssh_t, postgresql_t, pppd_initrc_exec_t, utempter_t, setsebool_t, mozilla_plugin_t, courier_pcp_t, courier_pop_t, dhcp_etc_t, zarafa_server_t, keyboardd_t, matahari_hostd_t, sysadm_dbusd_t, publicfile_t, telepathy_idle_t, usbmodules_t, httpd_zarafa_script_t, sysctl_net_t, telepathy_mission_control_t, webalizer_t, nscd_exec_t, cpucontrol_t, rpm_exec_t, NetworkManager_etc_rw_t, sambagui_t, staff_seunshare_t, gconfdefaultsm_t, nx_server_ssh_t, matahari_serviced_t, certmaster_t, certmonger_t, setfiles_t, user_mail_t, cdrecord_t, sectoolm_t, udev_tbl_t, semanage_t, checkpolicy_t, httpd_mojomojo_script_t, httpd_php_t, portmap_helper_t, cobblerd_t, consoletype_t, openoffice_t, denyhosts_t, xenconsoled_t, clamscan_t, cmirrord_t, shell_exec_t, cronjob_t, memcached_t, crontab_t, dnsmasq_exec_t, xguest_openoffice_t, logrotate_mail_t, matahari_netd_t, passenger_t, systemd_tmpfiles_t, arpwatch_t, cardmgr_t, dirsrv_snmp_t, cgclear_t, dirsrvadmin_t, chronyd_t, apcupsd_t, smbcontrol_t, dhcpc_exec_t, fingerd_t, foghorn_t, gpg_web_t, abrt_t, fprintd_t, ftpdctl_t, httpd_cobbler_script_t, NetworkManager_etc_t, NetworkManager_log_t, dcerpcd_t, dovecot_t, evtchnd_t, gpg_agent_t, telepathy_msn_t, auditctl_t, jabberd_t, kadmind_t, lib_t, hddtemp_t, netlabel_mgmt_t, spamass_milter_t, oddjob_mkhomedir_t, iceauth_t, icecast_t, prelude_correlator_t, ncftool_t, openvpn_t, postgrey_t, cyphesis_t, gnomesystemmm_t, vpnc_exec_t, init_script_file_type, lockdev_t, kerneloops_t, mplayer_t, ricci_modcluster_t, varnishlog_t, httpd_w3c_validator_script_t, ipsec_mgmt_exec_t, irqbalance_t, radiusd_t, rlogind_t, roundup_t, user_openoffice_t, srvsvcd_t, httpd_user_script_t, stunnel_t, sulogin_t, svc_run_t, syslogd_t, sysstat_t, accountsd_t, nut_upsdrvctl_t, rpcbind_t, sandbox_t, portmap_t, pppd_exec_t, yppasswdd_t, pppd_etc_t, cgconfig_t, ptchown_t, vbetool_t, vdagent_t, vhostmd_t, dbusd_etc_t, vnstatd_t, zarafa_ical_t, user_home_t, user_java_t, user_mono_t, user_wine_t, winbind_t, sysadm_sudo_t, telnetd_t, usbmuxd_t, afs_ptserver_t, ipsec_mgmt_t, run_init_t, namespace_init_t, sendmail_t, afs_cache_t, abrt_helper_exec_t, httpd_mediawiki_script_t, disk_munin_plugin_t, piranha_web_t, shutdown_t, userdomain, user_screen_t, audisp_remote_t, corosync_t, dovecot_auth_t, greylist_milter_t, calamaris_t, dlm_controld_t, gfs_controld_t, staff_openoffice_t, mailman_queue_t, smbmount_t, asterisk_t, bitlbee_t, sepgsql_trusted_proc_t, vmware_host_t, checkpc_t, saslauthd_t, awstats_t, dhcpc_state_t, aisexec_t, rpm_var_cache_t, gitosis_t, ld_so_t, debugfs_t, dnsmasq_t, krb5kdc_t, sysadm_seunshare_t, hotplug_t, gpg_pinentry_t, hwclock_t, newrole_t, zos_remote_t, dcc_client_t, mozilla_t, plymouth_t, proc_net_t, procmail_t, setrans_t, traceroute_t, pegasus_t, prelude_t, privoxy_t, qemu_dm_t, staff_java_t, staff_mono_t, staff_sudo_t, staff_wine_t, wpa_cli_t, httpd_awstats_script_t, policykit_reload_t, dbadm_sudo_t, ajaxterm_t, avahi_exec_t, textrel_shlib_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, qmail_send_t, piranha_fos_t, piranha_lvs_t, sandbox_x_t, httpd_apcupsd_cgi_script_t, local_login_t, hald_dccm_t, mysqld_safe_t, ricci_modservice_t, games_srv_t, ricci_modstorage_t, samba_net_t, samba_var_t, afs_bosserver_t, fail2ban_var_lib_t, httpd_nutups_cgi_script_t, hald_sonypic_t, initrc_var_run_t, boinc_project_t, nagios_mail_plugin_t, dhcpc_var_run_t, rpm_script_tmp_t, rpm_var_lib_t, amanda_recover_t, dnsmasq_initrc_exec_t, net_conf_t, chrome_sandbox_t, zarafa_spooler_t, httpd_munin_script_t, telepathy_salut_t, sysadm_passwd_t, sysadm_screen_t, nsplugin_t, zarafa_deliver_t, openvpn_etc_t, bluetooth_helper_t, dcc_dbclean_t, nut_upsd_t, staff_execmem_t, user_execmem_t, podsleuth_t, zarafa_monitor_t, etc_runtime_t, git_session_t, anon_inodefs_t, qmail_remote_t, sysctl_kernel_t, policykit_t, anon_sftpd_t, home_cert_t, httpd_sys_script_t, staff_consolehelper_t, svc_multilog_t, ricci_modclusterd_t, pppd_var_run_t, logwatch_t, mailman_cgi_t, user_cron_spool_t, pulseaudio_t, mailman_mail_t, mysqlmanagerd_t, bluetooth_t, mencoder_t, named_exec_t, netutils_t, qmail_tcp_env_t, consoletype_exec_t, plymouthd_t, smokeping_t, sandbox_x_client_t, ksmtuned_t, dkim_milter_t, mail_munin_plugin_t, admin_crontab_t, consolekit_t, httpd_prewikka_script_t, pam_console_t, zarafa_gateway_t, policykit_grant_t, logrotate_t, ricci_modlog_t, ricci_modrpm_t, setroubleshootd_t, update_modules_t, nsplugin_config_t, ld_so_cache_t, ssh_keysign_t, nagios_checkdisk_plugin_t, postfix_master_t, postfix_pickup_t, qmail_rspawn_t, uml_switch_t, regex_milter_t, qmail_inject_t, qmail_lspawn_t, firewalld_t, wireshark_t, gnomeclock_t, httpd_cvs_script_t, sandbox_net_client_t, system_munin_plugin_t, virsh_ssh_t, hald_acl_t, staff_gkeyringd_t, ntpd_initrc_exec_t, telepathy_sunshine_t, dnsmasq_var_run_t, nscd_initrc_exec_t, iptables_exec_t, postfix_local_t, postfix_smtpd_t, loadkeys_t, services_munin_plugin_t, httpd_git_script_t, nagios_services_plugin_t, smoltclient_t, courier_tcpd_t, prelude_lml_t, dmidecode_t, system_dbusd_var_lib_t, modemmanager_t, NetworkManager_t, qmail_queue_t, sandbox_web_client_t, groupadd_t, audisp_t, auditd_t, blktap_t, httpd_rotatelogs_t, chkpwd_t, afs_kaserver_t, colord_t, policykit_auth_exec_t, comsat_t, dbskkd_t, dccifd_t, dirsrv_t, fenced_t, gconfd_t, groupd_t, iscsid_t, kismet_t, kpropd_t, ktalkd_t, lsassd_t, cert_t, net_conf_t, insmod_exec_t, root_t. Then execute: restorecon -v 'n2' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that NetworkManager should be allowed read access on the n2 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:default_t:s0 Target Objects n2 [ file ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-10.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Mon 04 Apr 2011 04:49:50 PM PDT Last Seen Mon 04 Apr 2011 04:49:50 PM PDT Local ID 4ea77490-3692-4538-89ad-a0c1df3f2623 Raw Audit Messages type=AVC msg=audit(1301960990.900:8): avc: denied { read } for pid=810 comm="NetworkManager" name="n2" dev=tmpfs ino=10770 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file Hash: NetworkManager,NetworkManager_t,default_t,file,read audit2allow #============= NetworkManager_t ============== allow NetworkManager_t default_t:file read; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t default_t:file read; Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. N/A 2. 3. Actual results: Expected results: Additional info: