Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1036521

Summary: selinux denial while using nm dbus api for team device configuration
Product: Red Hat Enterprise Linux 7 Reporter: Jan Tluka <jtluka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-109.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:26:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Tluka 2013-12-02 09:01:49 UTC 
Description of problem:

I hit another bug while working on bug #1035258. Following avc denial appears while running the reproducer in the original bug,

type=AVC msg=audit(1385977663.951:92): avc:  denied  { connectto } for  pid=783 comm="NetworkManager" path="/run/teamd/team0.sock" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1385977663.951:92): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fff482df590 a2=1b a3=7fff482df340 items=0 ppid=1 pid=783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

I tried to build a policy to allow the syscall using audit2allow,

echo "type=AVC msg=#udit(1385977663.951:92): avc:  denied  { connectto } for  pid=783 comm="NetworkManager" path="/run/teamd/team0.sock" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=unix_stream_socket" | audit2allow -m teampolicy

module teampolicy 1.0;

require {
	type NetworkManager_t;
	class unix_stream_socket connectto;
}

#============= NetworkManager_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow NetworkManager_t self:unix_stream_socket connectto;

So instead of loading the policy I turned on the suggested boolean and it resolves the issue. However I'm not sure that this should be the solution since the boolean is probably intended for different purpose according to it's name.

Version-Release number of selected component (if applicable):

# rpm -qa selinux-policy\*
selinux-policy-targeted-3.12.1-103.el7.noarch
selinux-policy-3.12.1-103.el7.noarch

How reproducible:

Everytime using the reproducer in bug #1035258

Steps to Reproduce:

See bug #1035258

Actual results:
AVC denial

Expected results:
No AVC denial

Additional info:
Comment 1 Jan Tluka 2013-12-02 09:44:47 UTC 
To reproduce this it's sufficient to run following command:

# nmcli c add type team
Comment 2 Milos Malik 2013-12-02 13:08:10 UTC 
Thanks for the reproducer.
Comment 3 Miroslav Grepl 2013-12-03 10:07:20 UTC 
Added to Fedora.

commit 0fa7c84ffc7f787024a6b001550c1a0ae79d379f
Author: Miroslav Grepl <mgrepl>
Date:   Tue Dec 3 11:06:57 2013 +0100

    Add connectto perm for NM unix stream socket
Comment 5 Miroslav Grepl 2013-12-06 12:44:23 UTC 
Is there teamd service?
Comment 6 Milos Malik 2013-12-06 12:51:42 UTC 
From what I see on my machine the team daemon is executed via DBus.

# rpm -ql teamd | grep service
/usr/lib/systemd/system/teamd@.service
# rpm -ql teamd | grep dbus
/etc/dbus-1/system.d/teamd.conf
#
Comment 7 Miroslav Grepl 2013-12-09 12:15:47 UTC 
commit 2d0400ad6a1e7d94ad8d02c61b9aa1c7e8b53ab9
Author: Miroslav Grepl <mgrepl>
Date:   Mon Dec 9 13:15:15 2013 +0100

    Add SELinux support for the teamd package contains team network device control daemon.
Comment 9 Ludek Smid 2014-06-13 09:26:19 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.