Hide Forgot
Description of problem: I hit another bug while working on bug #1035258. Following avc denial appears while running the reproducer in the original bug, type=AVC msg=audit(1385977663.951:92): avc: denied { connectto } for pid=783 comm="NetworkManager" path="/run/teamd/team0.sock" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1385977663.951:92): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fff482df590 a2=1b a3=7fff482df340 items=0 ppid=1 pid=783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) I tried to build a policy to allow the syscall using audit2allow, echo "type=AVC msg=#udit(1385977663.951:92): avc: denied { connectto } for pid=783 comm="NetworkManager" path="/run/teamd/team0.sock" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=unix_stream_socket" | audit2allow -m teampolicy module teampolicy 1.0; require { type NetworkManager_t; class unix_stream_socket connectto; } #============= NetworkManager_t ============== #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow NetworkManager_t self:unix_stream_socket connectto; So instead of loading the policy I turned on the suggested boolean and it resolves the issue. However I'm not sure that this should be the solution since the boolean is probably intended for different purpose according to it's name. Version-Release number of selected component (if applicable): # rpm -qa selinux-policy\* selinux-policy-targeted-3.12.1-103.el7.noarch selinux-policy-3.12.1-103.el7.noarch How reproducible: Everytime using the reproducer in bug #1035258 Steps to Reproduce: See bug #1035258 Actual results: AVC denial Expected results: No AVC denial Additional info:
To reproduce this it's sufficient to run following command: # nmcli c add type team
Thanks for the reproducer.
Added to Fedora. commit 0fa7c84ffc7f787024a6b001550c1a0ae79d379f Author: Miroslav Grepl <mgrepl> Date: Tue Dec 3 11:06:57 2013 +0100 Add connectto perm for NM unix stream socket
Is there teamd service?
From what I see on my machine the team daemon is executed via DBus. # rpm -ql teamd | grep service /usr/lib/systemd/system/teamd@.service # rpm -ql teamd | grep dbus /etc/dbus-1/system.d/teamd.conf #
commit 2d0400ad6a1e7d94ad8d02c61b9aa1c7e8b53ab9 Author: Miroslav Grepl <mgrepl> Date: Mon Dec 9 13:15:15 2013 +0100 Add SELinux support for the teamd package contains team network device control daemon.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.