Bug 1259180 - SELinux is preventing NetworkManager from 'create' accesses on the netlink_generic_socket Unknown.
SELinux is preventing NetworkManager from 'create' accesses on the netlink_ge...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Unspecified
high Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:853b9802c618ebe9a66e73f6bcd...
:
: 1259181 1259183 1259184 1259932 1260010 1260437 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-02 03:08 EDT by Nicolas Mailhot
Modified: 2015-09-25 08:43 EDT (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-147.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-11 05:57:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2015-09-02 03:08:24 EDT
Description of problem:
on boot, after relabel (permissive mode was then required to make network work)

See also teaming driver
SELinux is preventing NetworkManager from 'create' accesses on the netlink_generic_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que NetworkManager devrait être autorisé à accéder create sur Unknown netlink_generic_socket par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:system_r:NetworkManager_t:s0
Target Objects                Unknown [ netlink_generic_socket ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-146.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.2.0-1.fc24.x86_64 #1 SMP Mon Aug
                              31 15:58:25 UTC 2015 x86_64 x86_64
Alert Count                   47
First Seen                    2015-09-02 08:50:28 CEST
Last Seen                     2015-09-02 09:02:23 CEST
Local ID                      b77fa810-56a9-44a2-9659-1e3357857bb4

Raw Audit Messages
type=AVC msg=audit(1441177343.657:1103): avc:  denied  { create } for  pid=4412 comm="teamd" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=1


Hash: NetworkManager,NetworkManager_t,NetworkManager_t,netlink_generic_socket,create

Version-Release number of selected component:
selinux-policy-3.13.1-146.fc24.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.0-1.fc24.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2015-09-11 05:35:15 EDT
*** Bug 1259181 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2015-09-11 05:35:19 EDT
*** Bug 1259183 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2015-09-11 05:35:22 EDT
*** Bug 1259184 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2015-09-11 05:57:27 EDT
https://github.com/fedora-selinux/selinux-policy

commit 724896379c28e4b0f76a715baccc7c1d5318a04b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Sep 11 11:54:10 2015 +0200

    Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180)
Comment 6 Miroslav Grepl 2015-09-11 06:31:44 EDT
*** Bug 1259932 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2015-09-11 06:34:32 EDT
*** Bug 1260010 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2015-09-11 08:19:26 EDT
*** Bug 1260437 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.