| Summary: | SELinux is preventing /usr/sbin/NetworkManager from 'execute' accesses on the file /etc/rc.d/init.d/nscd. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | cyrushmh <cyrusyzgtt> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:bf56ee959f8c7436329be3413e5d7fed7d1458902ae6a27254794fe37275a873 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-22 20:20:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Plugin told you what to do. restorecon -R -v /etc |
SELinux is preventing /usr/sbin/NetworkManager from 'execute' accesses on the file /etc/rc.d/init.d/nscd. ***** Plugin restorecon (94.8 confidence) suggests ************************* If you want to fix the label. /etc/rc.d/init.d/nscd default label should be nscd_initrc_exec_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/rc.d/init.d/nscd ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow NetworkManager to have execute access on the nscd file Then you need to change the label on /etc/rc.d/init.d/nscd Do # semanage fcontext -a -t FILE_TYPE '/etc/rc.d/init.d/nscd' where FILE_TYPE is one of the following: named_exec_t, consoletype_exec_t, ntpd_initrc_exec_t, nscd_initrc_exec_t, iptables_exec_t, policykit_auth_exec_t, bin_t, openvpn_exec_t, udev_exec_t, ifconfig_exec_t, NetworkManager_exec_t, NetworkManager_tmp_t, pppd_initrc_exec_t, nscd_exec_t, rpm_exec_t, shell_exec_t, dnsmasq_exec_t, dhcpc_exec_t, vpnc_exec_t, init_script_file_type, ipsec_mgmt_exec_t, pppd_exec_t, lib_t, abrt_helper_exec_t, ld_so_t, avahi_exec_t, textrel_shlib_t, dnsmasq_initrc_exec_t, insmod_exec_t. Then execute: restorecon -v '/etc/rc.d/init.d/nscd' ***** Plugin catchall (1.44 confidence) suggests *************************** If you believe that NetworkManager should be allowed execute access on the nscd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects /etc/rc.d/init.d/nscd [ file ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <未知> Host (removed) Source RPM Packages NetworkManager-0.8.9997-5.git20110702.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-34.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen 2011年07月22日 星期五 20时54分36秒 Last Seen 2011年07月22日 星期五 21时14分00秒 Local ID 431182dd-5bf7-4cd3-be29-fab97220bd4c Raw Audit Messages type=AVC msg=audit(1311340440.241:53): avc: denied { execute } for pid=2364 comm="NetworkManager" name="nscd" dev=sda6 ino=3016693 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1311340440.241:53): arch=x86_64 syscall=execve success=no exit=EACCES a0=2575200 a1=25e6080 a2=253ecf0 a3=0 items=0 ppid=771 pid=2364 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: NetworkManager,NetworkManager_t,etc_t,file,execute audit2allow #============= NetworkManager_t ============== allow NetworkManager_t etc_t:file execute; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t etc_t:file execute;