Description of problem: SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nm-vpnc-service should be allowed setsched access on processes labeled vpnc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nm-vpnc-service' --raw | audit2allow -M my-nmvpncservice # semodule -X 300 -i my-nmvpncservice.pp Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects Unknown [ process ] Source nm-vpnc-service Source Path nm-vpnc-service Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.5-31.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-31.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.6.0-0.rc7.git0.2.fc32.x86_64 #1 SMP Mon Mar 23 18:38:45 UTC 2020 x86_64 x86_64 Alert Count 4 First Seen 2020-03-24 13:48:02 EDT Last Seen 2020-03-26 10:12:27 EDT Local ID 2162882e-b651-4222-a754-e6b581611e3c Raw Audit Messages type=AVC msg=audit(1585231947.703:40373): avc: denied { setsched } for pid=45643 comm="nm-vpnc-service" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0 Hash: nm-vpnc-service,vpnc_t,vpnc_t,process,setsched Version-Release number of selected component: selinux-policy-3.14.5-31.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.12.0 hashmarkername: setroubleshoot kernel: 5.6.0-0.rc7.git0.2.fc32.x86_64 type: libreport
Dawid, Thank you for reporting the issue. Are you aware of any conditions leading to triggering this issue or was it just common usage? Apart from the denial audited, did you also see any functionality issue?
> Dawid, > > Thank you for reporting the issue. Are you aware of any conditions leading to triggering this issue or was it just common usage? Apart from the denial audited, did you also see any functionality issue? I am not Dawid but in my case it happens when I linked up VPN connection (openconnect) via Gnome Network Manager. I didn't see any functionality issue because I switched SE Linux in permissive mode.
Hi, Sorry for delay in replying. For me, it happens a few seconds after I connect to VPN (vpnc) via Network Manager but I did not notice any loss of functionality (SELinux in enforcing mode)
Similar problem has been detected: just starting a vpnc vpn via the gnome3 dropdown hashmarkername: setroubleshoot kernel: 5.6.12-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process. type: libreport
I have no functionality issue, just the alert in the selinux troubleshooter
Similar problem has been detected: This happened after updating to fedora 32 when I connected to vpn via plasma networknamager applet. hashmarkername: setroubleshoot kernel: 5.6.12-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-38.fc32.noarch reason: SELinux is preventing nm-vpnc-service from using the 'setsched' accesses on a process. type: libreport
*** Bug 1846811 has been marked as a duplicate of this bug. ***
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/268
*** Bug 1812378 has been marked as a duplicate of this bug. ***
commit 38bfb65292cdc51e922ff151ac34db2fb1401cda Author: Zdenek Pytela <zpytela> Date: Mon Jun 15 17:13:49 2020 +0200 Dontaudit vpnc_t setting its process scheduling Resolves: rhbz#1817528
Similar problem has been detected: This AVC is triggered each time an openconnect (in this case globalprotect) login is performed. All seems to work fine bespite this AVC. hashmarkername: setroubleshoot kernel: 5.6.18-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process. type: libreport
Similar problem has been detected: Started a VPN connection hashmarkername: setroubleshoot kernel: 5.6.16-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process. type: libreport
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a
The package does not seem to fix the issue for me, I still get a denial: Additional Information: Source Context system_u:system_r:vpnc_t:s0 Target Context system_u:system_r:vpnc_t:s0 Target Objects Unknown [ process ] Source nm-vpnc-service Source Path nm-vpnc-service Port <Unknown> Host notebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-41.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name notebook Platform Linux notebook 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 Alert Count 10 First Seen 2020-05-25 17:28:41 CEST Last Seen 2020-06-24 19:46:32 CEST Local ID 027f28f6-4e8d-4486-aa34-8d946eb37349 Raw Audit Messages type=AVC msg=audit(1593020792.685:292): avc: denied { setsched } for pid=2907 comm="nm-vpnc-service" scontext=system_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:vpnc_t:s0 tclass=process permissive=0
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Similar problem has been detected: SElinux complains every time when activating the VPN connection to a Palo Alto Networks firewall hashmarkername: setroubleshoot kernel: 5.6.19-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-40.fc32.noarch reason: SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process. type: libreport
Klaas, You are right. Unfortunately, the fix has unintentionally been skipped in backporting to F32. It will be a part of the next package update.
*** Bug 1852404 has been marked as a duplicate of this bug. ***
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
(In reply to Zdenek Pytela from comment #17) > Klaas, > > You are right. Unfortunately, the fix has unintentionally been skipped in > backporting to F32. It will be a part of the next package update. Can you reopen this bug or do you want to create a new one? Seems it was automatically closed by the push to stable.
Switching back to the POST state.
Similar problem has been detected: Connect to VPN using nm-openconnect hashmarkername: setroubleshoot kernel: 5.7.6-201.fc32.x86_64 package: selinux-policy-targeted-3.14.5-41.fc32.noarch reason: SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process. type: libreport
FEDORA-2020-876f7af8d8 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-876f7af8d8
FEDORA-2020-876f7af8d8 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-876f7af8d8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-876f7af8d8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-876f7af8d8 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
Similar problem has been detected: Appears every time I open a VPN with openconect hashmarkername: setroubleshoot kernel: 5.7.7-200.fc32.x86_64 package: selinux-policy-targeted-3.14.5-41.fc32.noarch reason: SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process. type: libreport
*** Bug 1850701 has been marked as a duplicate of this bug. ***
Similar problem has been detected: after connected to vpn (openconnect) hashmarkername: setroubleshoot kernel: 5.6.15-300.fc32.x86_64 package: selinux-policy-targeted-3.14.5-39.fc32.noarch reason: SELinux is preventing nm-openconnect- from using the 'setsched' accesses on a process. type: libreport
The vpnc_t setsched permission is dontaudited since 3.14.5-42: * Tue Jul 07 2020 Zdenek Pytela <zpytela> - 3.14.5-42 - Allow certmonger manage dirsrv services - Run ipa_helper_noatsecure(oddjob_t) only if the interface exists - Allow oddjob_t process noatsecure permission for ipa_helper_t - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t - Allow systemd_private_tmp(dirsrv_tmp_t) - Allow irqbalance file transition for pid sock_files and directories - Update irqbalance runtime directory file context - Allow irqbalance nnp_transition - Dontaudit vpnc_t setting its process scheduling - Allow systemd set efivarfs files attributes - Modify kernel_rw_key() not to include append permission - Add kernel_rw_key() interface to access to kernel keyrings