Bug 246200 - SELinux is preventing /lib/udev/rename_device (udev_t) "sys_module" to <Unknown> (udev_t).
SELinux is preventing /lib/udev/rename_device (udev_t) "sys_module" to <Unkno...
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: NetworkManager (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-29 02:35 EDT by Matěj Cepl
Modified: 2008-04-22 14:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-22 14:47:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (2.56 MB, text/plain)
2007-06-29 02:35 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2007-06-29 02:35:22 EDT
Description of problem:
Trying to make my wireless driver work I have created non-sensical configuration
which is run on startup and then it is switched to the real current network by
the Network Manager (for some unexplicable reason ndiswrapper module is not
loaded automagically for me). However, SELinux doesn't like this -- see below.
Even when I later removed this configuration and now I start eth1 by hand and
let the first DHCP request fail (because wifi is not configured properly --
ESSID is set only by NetworkManager later).

This is the rule generated by audit2allow for me:

#============= udev_t ==============
allow udev_t self:capability sys_module;

(complete audit.log is attached to this message -- ignore postfix problems, that
was reported, and ignored, in other bug).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-23.fc7
udev-106-4.1.fc7
NetworkManager-0.6.5-6.fc7

How reproducible:
100%

Steps to Reproduce:
1. configure wifi network card to some non-sensical IP address via
system-config-network
2.observe problem and reboot
3. remove nonsensical configuration and leave only plain DHCP
4. reboot
5. ifup eth1 ; fails as expected (ESSID etc. are not set up)
6. let NM do its work
  
Actual results:
AVC Denial

Expected results:
NM connects to the preferred wireless network and opens me the way to the
prosperity and happiness.

Additional info:

Summary
    SELinux is preventing /lib/udev/rename_device (udev_t) "sys_module" to
    <Unknown> (udev_t).

Detailed Description
    SELinux denied access requested by /lib/udev/rename_device. It is not
    expected that this access is required by /lib/udev/rename_device and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Objects                None [ capability ]
Affected RPM Packages         initscripts-8.54.1-1 [application]
Policy RPM                    selinux-policy-2.6.4-23.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     chelcicky.ceplovi.cz
Platform                      Linux chelcicky.ceplovi.cz 2.6.21-1.3228.fc7 #1
                              SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Pá 29. červen 2007, 07:58:07 CEST
Last Seen                     Pá 29. červen 2007, 07:58:07 CEST
Local ID                      0b8ee85b-5eba-4e1b-8c1d-824d7a651aeb
Line Numbers                  

Raw Audit Messages            

avc: denied { sys_module } for comm="rename_device" egid=0 euid=0
exe="/lib/udev/rename_device" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2971
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0
Comment 1 Matěj Cepl 2007-06-29 02:35:24 EDT
Created attachment 158187 [details]
audit.log
Comment 2 Daniel Walsh 2007-07-01 21:01:49 EDT
Are you asking how to change SELinux to allow this to happen?  If yes you can
add rules to selinux by executing 

grep udev /var/log/audit/audit.log | audit2allow -M myudev
semodule -i myudev.pp

If you want to add policy to allow udev to load kernel modules by default, I
don't think this is a good idea.
Comment 3 Matěj Cepl 2007-07-02 03:39:59 EDT
Frankly I don't care how it happens, but I don't like the fact, that I get AVC
Denials when switching on my network ;-). Switching to NetworkManager component.
Comment 4 Daniel Walsh 2007-07-02 13:30:24 EDT
Are you running in enforcing mode and does the network start up correctly?
Comment 5 Harald Hoyer 2007-07-03 04:22:47 EDT
$ rpm -qf $(fgrep -rl rename_device /etc/udev/rules.d/)
initscripts-8.45.7-1

$ rpm -qf /lib/udev/rename_device
initscripts-8.45.7-1
Comment 6 Matěj Cepl 2007-07-03 05:10:21 EDT
No, screwed up behavior of postfix under SELinux (bug 215722 is still alive and
well for me) made me to switch to Permissive mode. It is just a notebook, so I
don't I really NEED SELinux, running just to make me a testing target (having
redhat.com in the email address). However, I have already removed postfix and
switched back to sendmail, so I may be able to switch to Enforcing mode again. I
will let you know how it goes.
Comment 7 Daniel Walsh 2007-07-03 10:42:21 EDT
Could you update that bugzilla?

The question is what is creating the bugzilla, allowing udev to load kernel
modules seems dangerous.
Comment 8 Matěj Cepl 2007-07-03 11:37:40 EDT
which one -- this or bug 215722 ? I will get to the latter only in couple of
hours (after return home and dinner)
Comment 9 Matěj Cepl 2007-07-04 04:40:15 EDT
Hmm, restarted computer and the network works without a problem. Don't know
what's going on. See my audit.log as attachment 158504 [details] attached to the bug
215722 comment 24 If you want you can close this I guess.
Comment 10 Harald Hoyer 2007-07-04 06:13:24 EDT
> allowing udev to load kernel modules seems dangerous
????


Comment 11 Dan Williams 2008-04-22 14:47:43 EDT
closing per comment 9

Note You need to log in before you can comment on or make changes to this bug.