Bug 1040631 - restart of NetworkManager service produces AVC
Summary: restart of NetworkManager service produces AVC
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-11 18:13 UTC by Milos Malik
Modified: 2014-12-08 09:51 UTC (History)
0 users

Fixed In Version: selinux-policy-3.12.1-110.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 12:56:32 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Milos Malik 2013-12-11 18:13:34 UTC
Maybe the problem is anomalous label of the directory:
# matchpathcon /etc/NetworkManager/dispatcher.d/
/etc/NetworkManager/dispatcher.d	system_u:object_r:NetworkManager_initrc_exec_t:s0
#

Version-Release number of selected component (if applicable):
NetworkManager-0.9.9.0-27.git20131108.el7.x86_64
NetworkManager-glib-0.9.9.0-27.git20131108.el7.x86_64
selinux-policy-3.12.1-109.el7.noarch
selinux-policy-targeted-3.12.1-109.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service NetworkManager restart
# ausearch -m avc -i -ts recent

Actual results:
----
type=PATH msg=audit(12/11/2013 12:53:59.308:433) : item=0 name=/etc/NetworkManager/dispatcher.d inode=864877 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:NetworkManager_initrc_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/11/2013 12:53:59.308:433) :  cwd=/ 
type=SYSCALL msg=audit(12/11/2013 12:53:59.308:433) : arch=x86_64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x7fb9bc5f5b78 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=12504 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nm-dispatcher.a exe=/usr/libexec/nm-dispatcher.action subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(12/11/2013 12:53:59.308:433) : avc:  denied  { read } for  pid=12504 comm=nm-dispatcher.a name=dispatcher.d dev="dm-1" ino=864877 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=dir 
----

Expected results:
 * no AVCs

Comment 1 Miroslav Grepl 2013-12-11 21:49:21 UTC
This is because of the latest SELinux NM change for nm-dispatcher.a.

Milos,
are you getting more AVC related to this change?

Comment 2 Milos Malik 2013-12-12 06:45:05 UTC
These AVCs appeared in permissive mode, but nothing more:
----
type=PATH msg=audit(12/12/2013 07:43:41.477:518) : item=0 name=/etc/NetworkManager/dispatcher.d inode=8735489 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:NetworkManager_initrc_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/12/2013 07:43:41.477:518) :  cwd=/ 
type=SYSCALL msg=audit(12/12/2013 07:43:41.477:518) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffffffffffff9c a1=0x7f23800ddb78 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2380 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nm-dispatcher.a exe=/usr/libexec/nm-dispatcher.action subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(12/12/2013 07:43:41.477:518) : avc:  denied  { open } for  pid=2380 comm=nm-dispatcher.a path=/etc/NetworkManager/dispatcher.d dev="vda3" ino=8735489 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=dir 
type=AVC msg=audit(12/12/2013 07:43:41.477:518) : avc:  denied  { read } for  pid=2380 comm=nm-dispatcher.a name=dispatcher.d dev="vda3" ino=8735489 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=dir 
----

Comment 3 Miroslav Grepl 2013-12-12 08:32:38 UTC
I am also getting them.

Comment 5 Ludek Smid 2014-06-13 12:56:32 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.