Bug 1236063 - SELinux is preventing NetworkManager from 'read' accesses on the lnk_file 10-ifcfg-rh-routes.sh.
Summary: SELinux is preventing NetworkManager from 'read' accesses on the lnk_file 10-...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:ade328d50e33078f1b1cae27fae...
: 1332431 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-26 12:59 UTC by eman
Modified: 2016-05-04 09:40 UTC (History)
22 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-10-06 13:47:42 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description eman 2015-06-26 12:59:48 UTC 
Description of problem:
SELinux is preventing NetworkManager from 'read' accesses on the lnk_file 10-ifcfg-rh-routes.sh.

*****  Plugin catchall (100. confidence) suggests   **************************

If aby NetworkManager powinno mieć domyślnie read dostęp do 10-ifcfg-rh-routes.sh lnk_file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mojapolityka
# semodule -i mojapolityka.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:NetworkManager_initrc_exec_t:s0
Target Objects                10-ifcfg-rh-routes.sh [ lnk_file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-122.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.4-301.fc22.x86_64 #1 SMP Thu
                              May 21 13:10:33 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-06-26 14:53:17 CEST
Last Seen                     2015-06-26 14:53:17 CEST
Local ID                      8080bf14-bacf-4afc-bcec-6863565f7258

Raw Audit Messages
type=AVC msg=audit(1435323197.814:751): avc:  denied  { read } for  pid=930 comm="NetworkManager" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=1444431 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=lnk_file permissive=0


Hash: NetworkManager,NetworkManager_t,NetworkManager_initrc_exec_t,lnk_file,read

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 1 Adam Williamson 2015-06-27 17:26:35 UTC 
Description of problem:
Happened during a system update (run with dnf).

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch
selinux-policy-3.13.1-128.2.fc22.noarch

Additional info:
reporter:       libreport-2.6.0
hashmarkername: setroubleshoot
kernel:         4.0.4-303.fc22.x86_64
type:           libreport
Comment 2 Ervin 2015-10-01 07:36:58 UTC 
Description of problem:
This problem happened during an update of the entire system using yumex. 
Suddenly selinux noticed a problem. 
It should be just a missconfiguration or missinterpretation of the update to the network manager. 
I don't think selinux will consider network manager as a threat after a restart. 

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 3 Sergio Marquez 2015-10-05 20:47:10 UTC 
Description of problem:
Al actualizar mediante dnf update salio el error en el administrador de redes.

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 4 Lukas Vrabec 2015-10-06 13:47:42 UTC 
$ rpm -q selinux-policy
selinux-policy-3.13.1-128.16.fc22.noarch

$ audit2allow -i avc 


#============= NetworkManager_t ==============

#!!!! This avc is allowed in the current policy
allow NetworkManager_t NetworkManager_initrc_exec_t:lnk_file read;


This is fixed in F22 actual selinux-policy package version. Please, update your selinux-policy and selinux-policy-targeted package. 

Thank you.
Comment 5 ajitbakre 2015-10-07 05:16:48 UTC 
Description of problem:
1. How did the problem happened??
During the execution of  the command dnf update, this happened.
2. How can it be reproduced?
After installation of Fedora 22, and after installing Variety wall paper changer, also I installed gcc compiler, code blocks and oracle jdk 8 earlier day.

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 6 arturpolak1 2015-10-14 23:59:49 UTC 
Description of problem:
Error occured afrer selinux-policy upgrade from fresh fedora 22 install

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 7 Trevor Clark 2015-10-17 04:45:01 UTC 
Description of problem:
Updateing from a clean install of f22

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 8 Strahil Nikolov 2015-10-18 14:01:18 UTC 
It also happened to me .
how to reproduce:
Install Fedora 22.3 Workstation x86_64 iso.
Use : "dnf update -y"

Symptoms: NetoworkManager claims connected with "?" inside the icon.
How to resolve temporarily: 
Use "su -" , then "touch /.autorelabel && reboot".
Wait for the autorelabel to finish and then boot. Could happen again.
No meaningful message in /var/log/audit/ .
Comment 9 Vladislav Khromov 2015-10-20 18:50:38 UTC 
Description of problem:
It occurred during a system upgrade.

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport
Comment 10 Amir 2015-10-22 11:53:44 UTC 
Description of problem:
I was trying to connecto to a vpn.

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 11 Rodrigo Emygdio 2015-10-31 02:18:56 UTC 
Description of problem:
The syste was auto update and then the problem happened

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 12 Rick 2015-10-31 17:16:55 UTC 
Description of problem:
fresh install | open terminal | sudo -i | dnf update

Warning popped up, package included in update must be malformed or not configured properly.

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 13 Jeff 2015-11-04 12:45:48 UTC 
Description of problem:
Occurred during upgrade from Fedora 22 to Fedora 23 during command "dnf upgrade".  I had Skype and Chrome running at the time.

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 14 lesferayoub 2015-11-05 14:09:31 UTC 
Description of problem:
This happened when executinf dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 15 Lukas Vrabec 2016-05-04 09:14:15 UTC 
*** Bug 1332431 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.