Bug 962852
| Summary: | Name change for NM DHCP helper | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dan Williams <dcbw> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dwalsh |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-47.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-05-30 03:34:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
$ matchpathcon /usr/libexec/nm-dhcp-client.action /usr/libexec/nm-dhcp-client.action system_u:object_r:bin_t:s0 $ matchpathcon /usr/libexec/nm-dhcp-helper /usr/libexec/nm-dhcp-helper system_u:object_r:bin_t:s0 so it should be OK. But thank you for the bug. Sorry for re-opening; one additional note. The new helper talks to NM via a private dbus socket, so I get these AVCs which I failed to report before:
[167421.436171] type=1400 audit(1368718001.841:132): avc: denied { connectto } for pid=9551 comm="nm-dhcp-helper" path="/run/NetworkManager/private-dhcp" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
[167712.650632] type=1400 audit(1368718293.055:133): avc: denied { write } for pid=9664 comm="nm-dhcp-helper" name="private-dhcp" dev="tmpfs" ino=2871306 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file
Now obviously NM is running in "unconfined_t" because I'm running a development copy directly from my source directory. Are these AVCs only showing because I'm running that unconfined devel copy, or do we need to do something in the policy to allow nm-dhcp-helper to access /run/NetworkManager/private-dhcp?
Thanks!
Yes, has been added.
commit 5552a51568c3305837922503124fb39002a5df36
Author: Miroslav Grepl <mgrepl>
Date: Thu May 16 13:53:39 2013 +0200
Add networkmanager_stream_connect()
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19 Package selinux-policy-3.12.1-47.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
F19+ We're changing the name of the helper that NetworkManager tells dhclient to run, so instead of: %{_libexecdir}/nm-dhcp-client.action the new name/location is: %{_libexecdir}/nm-dhcp-helper we haven't pushed this change into Fedora yet, but we'd like to get the selinux policy updated before we do that. Though can we keep both executables in the rules for now so the change goes smoothly? Thanks!