Description of problem: Trying to make my wireless driver work I have created non-sensical configuration which is run on startup and then it is switched to the real current network by the Network Manager (for some unexplicable reason ndiswrapper module is not loaded automagically for me). However, SELinux doesn't like this -- see below. Even when I later removed this configuration and now I start eth1 by hand and let the first DHCP request fail (because wifi is not configured properly -- ESSID is set only by NetworkManager later). This is the rule generated by audit2allow for me: #============= udev_t ============== allow udev_t self:capability sys_module; (complete audit.log is attached to this message -- ignore postfix problems, that was reported, and ignored, in other bug). Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-23.fc7 udev-106-4.1.fc7 NetworkManager-0.6.5-6.fc7 How reproducible: 100% Steps to Reproduce: 1. configure wifi network card to some non-sensical IP address via system-config-network 2.observe problem and reboot 3. remove nonsensical configuration and leave only plain DHCP 4. reboot 5. ifup eth1 ; fails as expected (ESSID etc. are not set up) 6. let NM do its work Actual results: AVC Denial Expected results: NM connects to the preferred wireless network and opens me the way to the prosperity and happiness. Additional info: Summary SELinux is preventing /lib/udev/rename_device (udev_t) "sys_module" to <Unknown> (udev_t). Detailed Description SELinux denied access requested by /lib/udev/rename_device. It is not expected that this access is required by /lib/udev/rename_device and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Objects None [ capability ] Affected RPM Packages initscripts-8.54.1-1 [application] Policy RPM selinux-policy-2.6.4-23.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name chelcicky.ceplovi.cz Platform Linux chelcicky.ceplovi.cz 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 Alert Count 1 First Seen Pá 29. červen 2007, 07:58:07 CEST Last Seen Pá 29. červen 2007, 07:58:07 CEST Local ID 0b8ee85b-5eba-4e1b-8c1d-824d7a651aeb Line Numbers Raw Audit Messages avc: denied { sys_module } for comm="rename_device" egid=0 euid=0 exe="/lib/udev/rename_device" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2971 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0
Created attachment 158187 [details] audit.log
Are you asking how to change SELinux to allow this to happen? If yes you can add rules to selinux by executing grep udev /var/log/audit/audit.log | audit2allow -M myudev semodule -i myudev.pp If you want to add policy to allow udev to load kernel modules by default, I don't think this is a good idea.
Frankly I don't care how it happens, but I don't like the fact, that I get AVC Denials when switching on my network ;-). Switching to NetworkManager component.
Are you running in enforcing mode and does the network start up correctly?
$ rpm -qf $(fgrep -rl rename_device /etc/udev/rules.d/) initscripts-8.45.7-1 $ rpm -qf /lib/udev/rename_device initscripts-8.45.7-1
No, screwed up behavior of postfix under SELinux (bug 215722 is still alive and well for me) made me to switch to Permissive mode. It is just a notebook, so I don't I really NEED SELinux, running just to make me a testing target (having redhat.com in the email address). However, I have already removed postfix and switched back to sendmail, so I may be able to switch to Enforcing mode again. I will let you know how it goes.
Could you update that bugzilla? The question is what is creating the bugzilla, allowing udev to load kernel modules seems dangerous.
which one -- this or bug 215722 ? I will get to the latter only in couple of hours (after return home and dinner)
Hmm, restarted computer and the network works without a problem. Don't know what's going on. See my audit.log as attachment 158504 [details] attached to the bug 215722 comment 24 If you want you can close this I guess.
> allowing udev to load kernel modules seems dangerous ????
closing per comment 9