Bug 207221 - nm-applet does not appear, with SELinux error message
nm-applet does not appear, with SELinux error message
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: NetworkManager (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-19 20:08 EDT by Dave Malcolm
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-21 19:12:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Malcolm 2006-09-19 20:08:44 EDT
Description of problem:
Getting an error message from nm-applet:
** (nm-applet:2542): WARNING **: <WARNING>       nma_dbus_init ():
org.freedesktop.DBus.Error.AccessDenied raised:
 An SELinux policy prevents this sender from sending this message to this
recipient (rejected message had interface "org.freedesktop.DBus" member "Hello"
error name "(unset)" destination "org.freedesktop.DBus")


Version-Release number of selected component (if applicable):
NetworkManager-gnome-0.6.4-5.fc6
dbus-0.92-1.fc6

How reproducible:
100%

Steps to Reproduce:
1. SELinux targetted policy, with enforcing on.
2. run nm-applet from terminal
  
Actual results:
Error message as above on startup and every few seconds subsequently.  Applet
does not appear on panel.

Expected results:
No error message; applet should appear on panel.

Additional info:
nm-applet process is running as "user_u:system_r:unconfined_t"; should it be? 
Should I be starting it a different way?

NetworkManager process is runnning as "system_u:system_r:initrc_t" (which seems
reasonable)
Comment 1 Dave Malcolm 2006-09-20 10:34:58 EDT
Looks similar to bug 207285
Comment 2 Dave Malcolm 2006-09-20 12:18:16 EDT
This is with selinux-policy-2.3.13-5
Comment 3 Suzanne Hillman 2006-09-20 12:27:46 EDT
This was working fine with selinux-policy-2.3.13-3 (on the laptop I'm testing
with at home), and the presumably relevant domain info is:

nm-applet is user_u:system_r:unconfined_t
NM is system_u:system_r:NetworkManager_t
dbus-daemon is system_u:system_r:system_dbusd_t
Comment 4 Dave Malcolm 2006-09-20 12:31:32 EDT
Failing for me with selinux-policy-2.3.13-5; the domains for me are:
nm-applet is also user_u:system_r:unconfined_t
NM is different for me: system_u:system_r:initrc_t
dbus-daemon --system is system_u:system_r:initrc_t
dbus-daemon --session is user_u:system_r:unconfined_t

So it looks like my NM and dbus might be in the wrong domains.
Comment 5 Daniel Walsh 2006-09-20 12:55:00 EDT
Does 
service NetworkManager restart

fix the problem?

how is the binary labeled?
Comment 6 Dave Malcolm 2006-09-20 13:11:14 EDT
No:

sudo /sbin/service NetworkManager restart
Stopping NetworkManager daemon:                            [  OK  ]
Setting network parameters... 
Starting NetworkManager daemon:                            [  OK  ]
[david@brick ~]$ ps axZ | grep Net
user_u:system_r:initrc_t        18752 ?        Ss     0:00 NetworkManager
--pid-file=/var/run/NetworkManager/NetworkManager.pid

ls -Z /usr/sbin/NetworkManager
-rwxr-xr-x  root root system_u:object_r:sbin_t         /usr/sbin/NetworkManager

[david@brick ~]$ /sbin/fixfiles check /usr/sbin/NetworkManager
[david@brick ~]$ echo $?
0

[david@brick ~]$ nm-applet 
GTK Accessibility Module initialized
Bonobo accessibility support initialized

** (nm-applet:19254): WARNING **: <WARNING>      nma_dbus_init ():
org.freedesktop.DBus.Error.AccessDenied raised:
 An SELinux policy prevents this sender from sending this message to this
recipient (rejected message had interface "org.freedesktop.DBus" member "Hello"
error name "(unset)" destination "org.freedesktop.DBus")
Comment 7 Daniel Walsh 2006-09-20 15:22:24 EDT
Wrong context 

ls -lZ /usr/sbin/NetworkManager
-rwxr-xr-x  root root system_u:object_r:NetworkManager_exec_t:s0
/usr/sbin/NetworkManager

Thy 
restorecon -v /usr/sbin/NetworkManager
Comment 8 Dave Malcolm 2006-09-20 15:43:04 EDT
For some reason it's not working:
[root@brick sbin]# /sbin/restorecon -v NetworkManager
[root@brick sbin]# echo $?
0
[root@brick sbin]# ls -alZ NetworkManager
-rwxr-xr-x  root root system_u:object_r:sbin_t         NetworkManager
[root@brick sbin]# rpm -qa | grep policy
policycoreutils-1.30.29-1
selinux-policy-2.3.13-5
[root@brick sbin]# uname -a
Linux brick 2.6.16-1.2252_FC6 #1 SMP Tue Jun 6 00:52:35 EDT 2006 i686 i686 i386
GNU/Linux

Any suggestions?  Am I missing something obvious here?
Comment 9 Dave Malcolm 2006-09-21 14:15:35 EDT
Yes: I didn't have selinux-policy-targeted installed.

Now installed, and fs relabelled.  
Will retry on next reboot

Note You need to log in before you can comment on or make changes to this bug.