Bug 313971 - couple of AVC denials breaking (among other things) NetworkManager
couple of AVC denials breaking (among other things) NetworkManager
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-01 11:06 EDT by Matěj Cepl
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-15 13:45:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit.log (781.74 KB, text/plain)
2007-10-01 11:06 EDT, Matěj Cepl
no flags Details
/var/log/messages.1 with particular error messages about access denial to dbus socket (2.79 MB, text/plain)
2007-10-01 11:10 EDT, Matěj Cepl
no flags Details
New NM Selinux module (350 bytes, text/plain)
2007-10-01 11:11 EDT, Matěj Cepl
no flags Details
Another selinux module I created as well (186 bytes, text/plain)
2007-10-01 11:14 EDT, Matěj Cepl
no flags Details
and the last SELinux module I made (207 bytes, text/plain)
2007-10-01 11:16 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2007-10-01 11:06:44 EDT
Description of problem:
NetworkManager ceased to work quite recently for me, and after a lot of
searching I tried to work my way through audit2allow and when applying three
policies I have created with it, everything works.

Version-Release number of selected component (if applicable):
dbus-1.0.2-6.fc7
udev-113-12.fc7
NetworkManager-0.6.5-7.fc7
selinux-policy-2.6.4-45.fc7
selinux-policy-targeted-2.6.4-45.fc7

How reproducible:
100%

Steps to Reproduce:
1.restart computer with chkconfig NetworkManager set on "on".
2.messagebus is down, therefore couple of daemons doesn'ŧ work (messages like
these happen):
Sep 29 17:15:52 viklef console-kit-daemon[2637]: WARNING: Couldn't connect to
system bus: Failed to connect to socket /var/run/dbus/system_bus_socket:
Connection refused 
3.NetworkManager is not able to get IP address from the network
  
Actual results:
messagesbus is down, many daemons fail because of that, including NetworkManager

Expected results:
everything is OK, and I get free ice cream ;-)
Comment 1 Matěj Cepl 2007-10-01 11:06:44 EDT
Created attachment 212331 [details]
/var/log/audit.log
Comment 2 Matěj Cepl 2007-10-01 11:10:10 EDT
Created attachment 212341 [details]
/var/log/messages.1 with particular error messages about access denial to dbus socket
Comment 3 Matěj Cepl 2007-10-01 11:11:48 EDT
Created attachment 212351 [details]
New NM Selinux module

I think this is the module which made the trick
Comment 4 Matěj Cepl 2007-10-01 11:14:02 EDT
Created attachment 212361 [details]
Another selinux module I created as well

Just for the sake of completness I have created this module as well -- I have
no clue whether it is needed or actually whether it is good idea.
Comment 5 Matěj Cepl 2007-10-01 11:16:43 EDT
Created attachment 212371 [details]
and the last SELinux module I made

this is the last module I made
Comment 6 Daniel Walsh 2007-10-01 16:13:14 EDT
First off, for some reason your /root directory is labeled default_t.

restorecon -R -v /root 

should fix this.  All of your default_t messages are caused by this.

The hal messages are caused by a badly labeled pm-suspend.log.  restorecon -R -v
/var/log 

Should fix this.  And an updated version of pm-utils should be coming to fix
this forever. by placing the log file in /var/run/pm and /var/log/pm
subdirectory

dbus fixes will be in selinux-policy-2.6.4-46
Comment 7 Matěj Cepl 2007-10-01 17:49:47 EDT
I can fully confirm mislabeled /root (I have no idea, how that happened), but
restorecon -v -R /var didn't say anything about relabeling of pm-suspend.log.
Comment 8 Matěj Cepl 2007-10-13 09:34:22 EDT
I think this has been fixed in subsequent updates of selinux-policy.

Note You need to log in before you can comment on or make changes to this bug.