1212498 – AVC denials for NetworkManager

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1212498 - AVC denials for NetworkManager

Summary: AVC denials for NetworkManager

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Stefan Kremen
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1238438 (view as bug list)
Depends On:
Blocks:	1235549
TreeView+	depends on / blocked

Reported:	2015-04-16 13:57 UTC by Lubomir Rintel
Modified:	2019-04-29 09:18 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-3.13.1-33.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1235549 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:31:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Lubomir Rintel 2015-04-16 13:57:02 UTC

See:
https://github.com/fedora-selinux/selinux-policy/pull/15

Comment 2 Miroslav Grepl 2015-04-22 08:15:25 UTC

We need to see AVC msgs for these rules.

Comment 3 Lubomir Rintel 2015-04-22 10:34:19 UTC

type=AVC msg=audit(1429698245.562:534): avc:  denied  { read } for  pid=12328 comm="nm-dispatcher" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=174925 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1429190851.316:343): avc:  denied  { open } for  pid=8091 comm="NetworkManager" path="/dev/rfcomm0" dev="devtmpfs" ino=73406 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1429286211.282:966): avc:  denied  { write } for  pid=29373 comm="NetworkManager" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1

Comment 4 Miroslav Grepl 2015-05-05 09:24:13 UTC

Any chance to get SYSCALL part of AVC for

type=AVC msg=audit(1429286211.282:966): avc:  denied  { write } for  pid=29373 comm="NetworkManager" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1

?

Comment 5 Lubomir Rintel 2015-05-05 11:14:30 UTC

It's this:

src/platform/nm-linux-platform.c:       if (access ("/sys", W_OK) == 0)

Comment 6 Jirka Klimes 2015-06-10 11:46:38 UTC

Miroslav, would you allow these? Or are they already fixed in a recent version?

time->Wed Jun 10 07:38:42 2015
type=SYSCALL msg=audit(1433936322.549:4929): arch=c000003e syscall=4 success=no exit=-13 a0=7ffe39aa5450 a1=7fffa6bae0b0 a2=7fffa6bae0b0 a3=0 items=0 ppid=1 pid=19151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dispatcher" exe="/usr/libexec/nm-dispatcher" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1433936322.549:4929): avc:  denied  { read } for  pid=19151 comm="nm-dispatcher" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=34395156 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=lnk_file
----
time->Wed Jun 10 07:38:42 2015
type=SYSCALL msg=audit(1433936322.568:4930): arch=c000003e syscall=88 success=no exit=-13 a0=7f5c424fc620 a1=7f5c424fc6c8 a2=7f5c3e7787b8 a3=1 items=0 ppid=1 pid=7825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1433936322.568:4930): avc:  denied  { create } for  pid=7825 comm="NetworkManager" name=".resolv.conf.NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
----
time->Wed Jun 10 07:38:46 2015
type=SYSCALL msg=audit(1433936326.993:4931): arch=c000003e syscall=88 success=no exit=-13 a0=7f5c424fc620 a1=7f5c424fc6c8 a2=7f5c3e7787b8 a3=84 items=0 ppid=1 pid=7825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1433936326.993:4931): avc:  denied  { create } for  pid=7825 comm="NetworkManager" name=".resolv.conf.NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
----
time->Wed Jun 10 07:38:49 2015
type=SYSCALL msg=audit(1433936329.308:4932): arch=c000003e syscall=4 success=no exit=-13 a0=7ffe39aa3ad0 a1=7fffa6bae0b0 a2=7fffa6bae0b0 a3=0 items=0 ppid=1 pid=19151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dispatcher" exe="/usr/libexec/nm-dispatcher" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1433936329.308:4932): avc:  denied  { read } for  pid=19151 comm="nm-dispatcher" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=34395156 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=lnk_file
----
time->Wed Jun 10 07:38:49 2015
type=SYSCALL msg=audit(1433936329.328:4933): arch=c000003e syscall=88 success=no exit=-13 a0=7f5c424fc620 a1=7f5c424fc6c8 a2=7f5c3e7787b8 a3=1 items=0 ppid=1 pid=7825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1433936329.328:4933): avc:  denied  { create } for  pid=7825 comm="NetworkManager" name=".resolv.conf.NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
----
time->Wed Jun 10 07:38:57 2015
type=SYSCALL msg=audit(1433936337.289:4939): arch=c000003e syscall=88 success=no exit=-13 a0=7f5c424fc620 a1=7f5c424fc6c8 a2=7f5c3e7787b8 a3=84 items=0 ppid=1 pid=7825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1433936337.289:4939): avc:  denied  { create } for  pid=7825 comm="NetworkManager" name=".resolv.conf.NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

Comment 7 Milos Malik 2015-06-10 13:14:08 UTC

The AVCs are not yet fixed in the latest selinux-policy (3.13.1-25.el7).

Comment 9 Lubomir Rintel 2015-06-17 16:01:41 UTC

Not working.

type=AVC msg=audit(1434556383.518:1240): avc:  denied  { write } for  pid=29681 comm="NetworkManager" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Comment 10 Milos Malik 2015-06-29 14:20:26 UTC

Caught in enforcing mode:
----
type=PATH msg=audit(06/29/2015 16:05:20.327:36) : item=0 name=/sys inode=1 dev=00:10 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL 
type=CWD msg=audit(06/29/2015 16:05:20.327:36) :  cwd=/ 
type=SYSCALL msg=audit(06/29/2015 16:05:20.327:36) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x7ff605c8e3cb a1=W_OK a2=0x28 a3=0x3 items=1 ppid=1 pid=543 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(06/29/2015 16:05:20.327:36) : avc:  denied  { write } for  pid=543 comm=NetworkManager name=/ dev="sysfs" ino=1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----

Comment 11 Milos Malik 2015-06-29 14:22:32 UTC

Caught in permissive mode:
----
type=PATH msg=audit(06/29/2015 16:20:45.397:163) : item=0 name=/sys inode=1 dev=00:10 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL 
type=CWD msg=audit(06/29/2015 16:20:45.397:163) :  cwd=/ 
type=SYSCALL msg=audit(06/29/2015 16:20:45.397:163) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f6eecfd23cb a1=W_OK a2=0x28 a3=0x3 items=1 ppid=1 pid=3046 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(06/29/2015 16:20:45.397:163) : avc:  denied  { write } for  pid=3046 comm=NetworkManager name=/ dev="sysfs" ino=1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----

Comment 12 Miroslav Grepl 2015-07-01 08:10:08 UTC

Lukas,
please back port changes from Fedora.

Comment 13 Jan Hutař 2015-07-02 05:12:12 UTC

*** Bug 1238438 has been marked as a duplicate of this bug. ***

Comment 14 Lubomir Rintel 2015-07-02 07:21:16 UTC

Are you positive this is actually fixed in Fedora?

We're still getting reports about it being broken in Fedora 22 with updates-testing.

(The Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1235549)

Comment 15 Lukas Vrabec 2015-07-02 10:47:48 UTC

Hi, 

In this selinux-policy package is related fix: https://admin.fedoraproject.org/updates/FEDORA-2015-10974/selinux-policy-3.13.1-128.4.fc22?_csrf_token=40daf623761e29676970fe05ae0579f25223e1af

I also add fix to rhel7.2

commit 3b7c5f6a75dea3f7216c51470108aff7089b80f1
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jun 23 16:55:11 2015 +0200

    Allow NetworkManager write to sysfs. BZ(1234086)

Comment 16 Lubomir Rintel 2015-07-03 07:43:49 UTC

Thanks, I can confirm the fix works now.

With selinux-policy-3.13.1-30.el7 we could now resume testing with SELinux enabled and got no denials.

Comment 18 Lubomir Rintel 2015-07-10 13:13:58 UTC

The RFCOMM connections still don't work.

I get no denials now, but still get permission denied when opening /dev/rfcomm0. With setenforce 0 the RFCOMM connections do work.

Comment 19 Lubomir Rintel 2015-07-11 10:02:12 UTC

Seems like the open(O_RDONLY) of the rfcomm port needs read too. It got dontaudited somehow:

type=AVC msg=audit(1436545757.028:431): avc:  denied  { read } for  pid=628 comm="NetworkManager" name="rfcomm0" dev="devtmpfs" ino=43155 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

Comment 21 Lukas Vrabec 2015-07-14 13:36:48 UTC

commit 5f3f6b6e91ec527b2b4b157d2aa04ff92cc740b1
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jul 14 15:34:28 2015 +0200

    Allow networkmanager read rfcomm port.

Comment 25 errata-xmlrpc 2015-11-19 10:31:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.