From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050921 Red Hat/1.0.7-1.4.1 Firefox/1.0.7 Description of problem: After updating RHEL4 to U2 NetworkManagerInfo cannot start up anymore and prevents establishing a network connection. NetworkManager is running successfully. /var/log/messages shows when starting NetworkManagerInfo as normal user: Oct 6 17:49:21 localhost NetworkManagerInfo: NetworkManagerInfo could not get the system bus. Make sure the message bus daemon is running? Oct 6 17:49:22 localhost dbus: Can't send to audit system: USER_AVC pid=2465 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus Of, course dbus is running: dbus 2465 1 0 17:48 ? 00:00:00 dbus-daemon-1 --system Also nscd has issues after starting NetworkManager as seen in /var/log/audit/audit.log type=AVC msg=audit(1128635668.602:41): avc: denied { create } for pid=3481 comm="nscd" scontext=root:system_r:nscd_t tcontext=root:system_r:nscd_t tclass=netlink_audit_socket type=SYSCALL msg=audit(1128635668.602:41): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe1b070 a2=9bf2d0 a3=8d60a50 items=0 pid=3481 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="nscd" exe="/usr/sbin/nscd" Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.110 dbus-0.22-12.EL.5 How reproducible: Always Steps to Reproduce: 1.Update RHEL4 to U2 2.Reboot (relabel doesn't help either) 3.Start NetworkManager and then NetworkManagerInfo Actual Results: NetworkManagerInfo never starts successfully probably because it can't talk to the system bus hence no net connection can be established. Expected Results: NetworkManagerInfo should come up fine and be able to talk to the system bus. Additional info:
Setting SELinux to permissive mode works fine so I guess it is a policy issue?
Please try the policy in ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u3 Should be fixed in selinux-policy-targeted-1.17.30-2.113
That updated policy fixes the NetworkManager issue. Thanks, Dan. NetworkManager/NetworkManagerInfo now work fine after installing selinux-policy-targeted-1.17.30-2.113. No error messages seen anymore in /var/log/messages. BTW an empty /etc/resolv.conf has correct entries after rebooting or restarting NetworkManager (and hence nscd) but /var/log/audit/audit.log still shows: type=AVC msg=audit(1128641390.740:33): avc: denied { read } for pid=3268 comm="nscd" name="resolv.conf" dev=dm-0 ino=672619 scontext=root:system_r:nscd_t tcontext=root:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1128641390.740:33): arch=40000003 syscall=5 success=no exit=-13 a0=acfc2c a1=0 a2=1b6 a3=acfc2c items=1 pid=3268 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 comm="nscd" exe="/usr/sbin/nscd" type=CWD msg=audit(1128641390.740:33): cwd="/" type=PATH msg=audit(1128641390.740:33): name="/etc/resolv.conf" flags=101 inode=672619 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
THis means that somehow the /etc/resolv.conf got created incorrectly. restorecon /etc/resolv.con will change the context to net_conf_t, which is what it should be. Any idea how this file got created?
Yeah, I tried restorecon /etc/resolv.conf before. Again, I just stopped NetworkManager (and nscd), removed /etc/resolv.conf and restarted NetworkManager. In /var/log/audit/audit.log it still appears what is pasted below. Using strace says that NetworkManager creates /etc/resolv.conf - as expected I assume. It eventually works though. type=AVC msg=audit(1128990758.811:19): avc: denied { read } for pid=3160 comm="nscd" name="resolv.conf" dev=dm-0 ino=672076 scontext=root:system_r:nscd_t tcontext=root:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1128990758.811:19): arch=40000003 syscall=5 success=yes exit=15 a0=a14c2c a1=0 a2=1b6 a3=a14c2c items=1 pid=3160 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 comm="nscd" exe="/usr/sbin/nscd" type=CWD msg=audit(1128990758.811:19): cwd="/" type=PATH msg=audit(1128990758.811:19): name="/etc/resolv.conf" flags=101 inode=672076 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1128990758.812:20): avc: denied { getattr } for pid=3160 comm="nscd" name="resolv.conf" dev=dm-0 ino=672076 scontext=root:system_r:nscd_t tcontext=root:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1128990758.812:20): arch=40000003 syscall=197 success=yes exit=0 a0=f a1=b734bb2c a2=a1eff4 a3=9ac8cd0 items=0 pid=3160 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 comm="nscd" exe="/usr/sbin/nscd" type=AVC_PATH msg=audit(1128990758.812:20): path="/etc/resolv.conf"
Ok, updated policy to allow this. 1.17.30-2.114
Thanks, looks fine here now.
*** Bug 169999 has been marked as a duplicate of this bug. ***
*** Bug 170854 has been marked as a duplicate of this bug. ***
Here too, updated to this version now, because nscd suddenly began crashing again (probably the reason: restart of postfix-2.2.8 using LDAP).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0049.html