Bug 1817528 - SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process.
Summary: SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:ebf3a8265c63357cf21475b9d3f...
: 1812378 1846811 1850701 1852404 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-26 14:13 UTC by Dawid Zamirski
Modified: 2020-07-24 12:21 UTC (History)
22 users (show)

Fixed In Version: selinux-policy-3.14.5-41.fc32 selinux-policy-3.14.5-42.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-11 01:09:13 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Dawid Zamirski 2020-03-26 14:13:20 UTC
Description of problem:
SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nm-vpnc-service should be allowed setsched access on processes labeled vpnc_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nm-vpnc-service' --raw | audit2allow -M my-nmvpncservice
# semodule -X 300 -i my-nmvpncservice.pp

Additional Information:
Source Context                system_u:system_r:vpnc_t:s0
Target Context                system_u:system_r:vpnc_t:s0
Target Objects                Unknown [ process ]
Source                        nm-vpnc-service
Source Path                   nm-vpnc-service
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-3.14.5-31.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-31.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.6.0-0.rc7.git0.2.fc32.x86_64 #1
                              SMP Mon Mar 23 18:38:45 UTC 2020 x86_64 x86_64
Alert Count                   4
First Seen                    2020-03-24 13:48:02 EDT
Last Seen                     2020-03-26 10:12:27 EDT
Local ID                      2162882e-b651-4222-a754-e6b581611e3c

Raw Audit Messages
type=AVC msg=audit(1585231947.703:40373): avc:  denied  { setsched } for  pid=45643 comm="nm-vpnc-service" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0


Hash: nm-vpnc-service,vpnc_t,vpnc_t,process,setsched

Version-Release number of selected component:
selinux-policy-3.14.5-31.fc32.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.6.0-0.rc7.git0.2.fc32.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2020-03-26 15:25:48 UTC
Dawid,

Thank you for reporting the issue. Are you aware of any conditions leading to triggering this issue or was it just common usage? Apart from the denial audited, did you also see any functionality issue?

Comment 2 Mikhail 2020-04-15 07:26:32 UTC
> Dawid,
> 
> Thank you for reporting the issue. Are you aware of any conditions leading to triggering this issue or was it just common usage? Apart from the denial audited, did you also see any functionality issue?

I am not Dawid but in my case it happens when I linked up VPN connection (openconnect) via Gnome Network Manager.
I didn't see any functionality issue because I switched SE Linux in permissive mode.

Comment 3 Dawid Zamirski 2020-04-15 13:56:59 UTC
Hi,

Sorry for delay in replying. For me, it happens a few seconds after I connect to VPN (vpnc) via Network Manager but I did not notice any loss of functionality (SELinux in enforcing mode)

Comment 4 Tim Hughes 2020-05-16 16:40:31 UTC
Similar problem has been detected:

just starting a vpnc vpn via the gnome3 dropdown 

hashmarkername: setroubleshoot
kernel:         5.6.12-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process.
type:           libreport

Comment 5 Tim Hughes 2020-05-16 16:43:05 UTC
I have no functionality issue, just the alert in the selinux troubleshooter

Comment 6 Ivan Ivanov 2020-05-19 17:25:46 UTC
Similar problem has been detected:

This happened after updating to fedora 32 when I connected to vpn via plasma networknamager applet.

hashmarkername: setroubleshoot
kernel:         5.6.12-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-38.fc32.noarch
reason:         SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process.
type:           libreport

Comment 7 egorchel 2020-06-14 17:36:00 UTC
*** Bug 1846811 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2020-06-15 15:19:39 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/268

Comment 9 Zdenek Pytela 2020-06-15 15:19:45 UTC
*** Bug 1812378 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2020-06-16 12:50:37 UTC
commit 38bfb65292cdc51e922ff151ac34db2fb1401cda
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 15 17:13:49 2020 +0200

    Dontaudit vpnc_t setting its process scheduling
    
    Resolves: rhbz#1817528

Comment 11 Patrick Hurrelmann 2020-06-18 06:38:55 UTC
Similar problem has been detected:

This AVC is triggered each time an openconnect (in this case globalprotect) login is performed.
All seems to work fine bespite this AVC.

hashmarkername: setroubleshoot
kernel:         5.6.18-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process.
type:           libreport

Comment 12 accounts 2020-06-23 07:51:55 UTC
Similar problem has been detected:

Started a VPN connection

hashmarkername: setroubleshoot
kernel:         5.6.16-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process.
type:           libreport

Comment 13 Fedora Update System 2020-06-24 11:33:00 UTC
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

Comment 14 Klaas Demter 2020-06-24 17:51:25 UTC
The package does not seem to fix the issue for me, I still get a denial:

Additional Information:
Source Context                system_u:system_r:vpnc_t:s0
Target Context                system_u:system_r:vpnc_t:s0
Target Objects                Unknown [ process ]
Source                        nm-vpnc-service
Source Path                   nm-vpnc-service
Port                          <Unknown>
Host                          notebook
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.5-41.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-41.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     notebook
Platform                      Linux notebook 5.6.19-300.fc32.x86_64 #1 SMP Wed
                              Jun 17 16:10:48 UTC 2020 x86_64 x86_64
Alert Count                   10
First Seen                    2020-05-25 17:28:41 CEST
Last Seen                     2020-06-24 19:46:32 CEST
Local ID                      027f28f6-4e8d-4486-aa34-8d946eb37349

Raw Audit Messages
type=AVC msg=audit(1593020792.685:292): avc:  denied  { setsched } for  pid=2907 comm="nm-vpnc-service" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0

Comment 15 Fedora Update System 2020-06-25 01:03:35 UTC
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 16 undercover_black_hat 2020-06-25 08:19:39 UTC
Similar problem has been detected:

SElinux complains every time when activating the VPN connection to a Palo Alto Networks firewall

hashmarkername: setroubleshoot
kernel:         5.6.19-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-40.fc32.noarch
reason:         SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process.
type:           libreport

Comment 17 Zdenek Pytela 2020-06-25 08:53:49 UTC
Klaas,

You are right. Unfortunately, the fix has unintentionally been skipped in backporting to F32. It will be a part of the next package update.

Comment 18 Zdenek Pytela 2020-06-30 11:18:59 UTC
*** Bug 1852404 has been marked as a duplicate of this bug. ***

Comment 19 Fedora Update System 2020-07-02 01:11:49 UTC
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Klaas Demter 2020-07-02 09:09:08 UTC
(In reply to Zdenek Pytela from comment #17)
> Klaas,
> 
> You are right. Unfortunately, the fix has unintentionally been skipped in
> backporting to F32. It will be a part of the next package update.

Can you reopen this bug or do you want to create a new one? Seems it was automatically closed by the push to stable.

Comment 21 Zdenek Pytela 2020-07-02 11:37:56 UTC
Switching back to the POST state.

Comment 22 Alvin 2020-07-04 19:47:41 UTC
Similar problem has been detected:

Connect to VPN using nm-openconnect

hashmarkername: setroubleshoot
kernel:         5.7.6-201.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-41.fc32.noarch
reason:         SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process.
type:           libreport

Comment 23 Fedora Update System 2020-07-09 16:46:35 UTC
FEDORA-2020-876f7af8d8 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-876f7af8d8

Comment 24 Fedora Update System 2020-07-10 01:42:33 UTC
FEDORA-2020-876f7af8d8 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-876f7af8d8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-876f7af8d8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 25 Fedora Update System 2020-07-11 01:09:13 UTC
FEDORA-2020-876f7af8d8 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 26 Enrique Meléndez 2020-07-11 16:35:32 UTC
Similar problem has been detected:

Appears every time I open a VPN with openconect

hashmarkername: setroubleshoot
kernel:         5.7.7-200.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-41.fc32.noarch
reason:         SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process.
type:           libreport

Comment 27 Zdenek Pytela 2020-07-20 14:03:19 UTC
*** Bug 1850701 has been marked as a duplicate of this bug. ***

Comment 28 Raphael Groner 2020-07-24 10:46:02 UTC
Similar problem has been detected:

after connected to vpn (openconnect)

hashmarkername: setroubleshoot
kernel:         5.6.15-300.fc32.x86_64
package:        selinux-policy-targeted-3.14.5-39.fc32.noarch
reason:         SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process.
type:           libreport

Comment 29 Zdenek Pytela 2020-07-24 12:21:07 UTC
The vpnc_t setsched permission is dontaudited since 3.14.5-42:

    * Tue Jul 07 2020 Zdenek Pytela <zpytela> - 3.14.5-42
    - Allow certmonger manage dirsrv services
    - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
    - Allow oddjob_t process noatsecure permission for ipa_helper_t
    - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
    - Allow systemd_private_tmp(dirsrv_tmp_t)
    - Allow irqbalance file transition for pid sock_files and directories
    - Update irqbalance runtime directory file context
    - Allow irqbalance nnp_transition
    - Dontaudit vpnc_t setting its process scheduling
    - Allow systemd set efivarfs files attributes
    - Modify kernel_rw_key() not to include append permission
    - Add kernel_rw_key() interface to access to kernel keyrings


Note You need to log in before you can comment on or make changes to this bug.