Bug 214921 - Activating network card via Network Configuration triggers SELinux denial.
Activating network card via Network Configuration triggers SELinux denial.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-09 18:17 EST by Casper Gasper
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.33.2-2.fc6.
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-27 13:43:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Casper Gasper 2006-11-09 18:17:48 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.0.8) Gecko/20061107 Fedora/1.5.0.8-1.fc6 Firefox/1.5.0.8

Description of problem:
Activating a de-activeated network device by clicking on "Activate" in system-config-network tool triggers and SELinux denial.

From Setroubleshoot:
Summary: 
SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" to pipe:[14416](unconfined_t).

Additional Information:
Source Context system_u:system_r:ifconfig_t
Target Context system_u:system:r:unconfined_t
Target Objects pipe:[14416][fifo_file]
Affected RPM Packages net-tools-1.60-73 [application]
Policy RPM selinux-policy-2.4.3-2.fc6
Selinux Enabled True
Policy type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name pinky.caspergasper.com
Platform Linux pinky.caspergasper.com 2.6.18-1.2835.fc6 #1 SMP Thu Nov 2 01:41:42 EST 2006 i686 i686

Here are the messages from audit.log:

type=AVC msg=audit(1163111169.659:41): avc:  denied  { read } for  pid=3403 comm
="ifconfig" name="[12837]" dev=pipefs ino=12837 scontext=system_u:system_r:ifcon
fig_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file
type=AVC msg=audit(1163111169.659:41): avc:  denied  { write } for  pid=3403 com
m="ifconfig" name="[12837]" dev=pipefs ino=12837 scontext=system_u:system_r:ifco
nfig_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file



Version-Release number of selected component (if applicable):
net-tools-1.60-73

How reproducible:
Always


Steps to Reproduce:
1. Set SELinuc in enforcing mode.
2. Open network configuration tool.
3. De-activate and then re-activate network interface.

Actual Results:
SELinux denied a read and a write to a fifo pipe. 

Expected Results:
No denial.

Additional info:
Comment 1 Radek Vokal 2006-11-10 02:54:43 EST
Reassigning to selinux guys. Also reproducible on RHEL5
Comment 2 Daniel Walsh 2006-11-10 08:14:29 EST
What program did you use to login?  Could you check the context of the program, ie
ps -eZ | grep gdm  (Or whatever the login app was?)
Comment 3 Casper Gasper 2006-11-10 17:21:22 EST
(In reply to comment #2)
> What program did you use to login?  Could you check the context of the program, ie
> ps -eZ | grep gdm  (Or whatever the login app was?)

system_u:system_r:xdm_t:SystemLow-SystemHigh 2385 ? 00:00:00 gdm-binary
system_u:system_r:xdm_t:SystemLow-SystemHigh 2453 ? 00:00:00 gdm-binary
system_u:system_r:xdm_t:SystemLow-SystemHigh 2457 ? 00:00:00 gdm-binary

I get this same error with both my laptop and desktop machines.  


Comment 4 Casper Gasper 2006-11-24 19:24:45 EST
Appears to be fixed now with policycoreutils.i386 1.33.2-2.fc6.

Note You need to log in before you can comment on or make changes to this bug.