Bug 432843 - selinux prevents new NetworkManager system settings daemon from working
selinux prevents new NetworkManager system settings daemon from working
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-14 13:32 EST by Orion Poplawski
Modified: 2008-02-21 15:34 EST (History)
1 user (show)

See Also:
Fixed In Version: 3.0.8-87.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-21 15:34:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
NM crash from /var/log/messages (6.42 KB, text/plain)
2008-02-19 14:02 EST, Orion Poplawski
no flags Details

  None (edit)
Description Orion Poplawski 2008-02-14 13:32:25 EST
Running F8 plus updates-testing.  Recent NetworkManager update adds a system
settings daemon, but selinux is blocking dbus messages.

In enforcing:

audit(1203012714.496:4): avc:  denied  { getattr } for  pid=2558
comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
audit(1203012714.498:5): user pid=1918 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_return dest=:1.9 spid=2558 tpid=2493
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus
audit(1203012714.499:6): user pid=1918 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_return dest=:1.9 spid=2558 tpid=2493
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus
audit(1203012714.545:7): user pid=1918 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=signal interface=org.freedesktop.NetworkManagerSettings
member=NewConnection dest=org.freedesktop.DBus spid=2558 tpid=2493
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus
audit(1203012714.546:8): user pid=1918 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=signal interface=org.freedesktop.NetworkManagerSettings
member=NewConnection dest=org.freedesktop.DBus spid=2558 tpid=2493
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus
audit(1203012828.781:10): user pid=1918 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_return dest=:1.17 spid=2558 tpid=2821
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus

system_u:system_r:system_dbusd_t:s0 dbus  1918     1  0 11:11 ?        00:00:00
dbus-daemon --system
/usr/sbin/nm-system-settings --config /etc/nm-system-settings.conf

NM reports:

Feb 14 11:12:19 cynosure NetworkManager: <WARN>  list_connections_cb(): Couldn't
retrieve connections: Did not receive a reply. Possible causes include: the
remote application did not send a reply, the message bus security policy blocked
the reply, the reply timeout expired, or the network connection was broken..

I'll reboot in permissive mode and capture those messages.

NetworkManager-0.7.0-0.6.7.svn3302.fc8
selinux-policy-3.0.8-84.fc8
Comment 1 Orion Poplawski 2008-02-14 13:46:21 EST
In permissive on boot I get:

audit(1203014203.129:3): avc:  denied  { getattr } for  pid=2546
comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
audit(1203014203.131:4): user pid=1909 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_return dest=:1.9 spid=2546 tpid=2481
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus

this comes after login:

audit(1203014311.087:7): user pid=1909 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_return dest=:1.21 spid=2546 tpid=3044
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus
Comment 2 Dan Williams 2008-02-14 14:12:18 EST
Yeah, the system settings daemon on F8 needs to:

1) talk to inotify
2) talk over D-Bus with the included D-Bus policy
3) Have read (and eventually write) access to /etc/sysconfig/networking/profiles/*
3) Have read access to /etc/sysconfig/network
5) Have read access to /etc/nm-system-settings.conf
6) Be able to dlopen() modules from /usr/lib/NetworkManager/

That should be it; if it requires anything else it's a bug.  Should be able to
be pretty tightly confined.
Comment 3 Dan Williams 2008-02-14 14:13:12 EST
Not just F8, rawhide too I might add.
Comment 4 Daniel Walsh 2008-02-14 15:09:37 EST
Rawhide policy can do all this.  I take it a new version of networkmanager just
hit F8?
Comment 5 Daniel Walsh 2008-02-14 15:12:49 EST
Fixed in selinux-policy-3.0.8-85.fc8
Comment 6 Orion Poplawski 2008-02-19 14:02:28 EST
Created attachment 295319 [details]
NM crash from /var/log/messages 

With selinux-policy-3.0.8-85.fc8, NM cannot talk to dbus at all and crashes. 
Interestingly, there are some denials for gdb when NM generates a backtrace.
Comment 7 Daniel Walsh 2008-02-19 15:17:00 EST
I just ran your messages through audit2why and it says the dbus messages should
be allowed.  The gdb messages are not because selinux does not understand why
gdm was running as NetworkManager.
Comment 8 Dan Williams 2008-02-19 15:30:50 EST
NM catches segfaults and attempts to log them to syslog, which basically spawns
gdb with a script to get a backtrace, and if that fails, tries to use pstack to
get one instead.
Comment 9 Orion Poplawski 2008-02-19 15:33:12 EST
I get 

audit(1203444814.169:4): avc:  denied  { search } for  pid=2381
comm="NetworkManagerD" name="dbus" dev=sda9 ino=63248
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check
boolean settings.
                You can see the necessary allow rules by running audit2allow
with this audit message as input.

audit(1203444833.685:5): avc:  denied  { search } for  pid=2491
comm="NetworkManager" name="dbus" dev=sda9 ino=63248
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check
boolean settings.
                You can see the necessary allow rules by running audit2allow
with this audit message as input.

Not sure what booleans would be involved.
Comment 10 Ignacio Vazquez-Abrams 2008-02-21 05:21:13 EST
Seeing the dbus denials when starting the NetworkManager service as well with:

NetworkManager-0.7.0-0.6.7.svn3235.fc8
selinux-policy-3.0.8-85.fc8

Permissive mode results in the following:

host=localhost.localdomain type=AVC msg=audit(1203588801.555:41): avc:  denied 
{ read } for  pid=3200 comm="wpa_supplicant" path="/etc/dbus-1/system.d"
dev=dm-0 ino=1377022 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1203588801.555:41):
arch=c000003e syscall=59 success=yes exit=0 a0=60c750 a1=60b570 a2=60b010
a3=30c49529f0 items=0 ppid=3199 pid=3200 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="wpa_supplicant"
exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

host=localhost.localdomain type=AVC msg=audit(1203588801.691:42): avc:  denied 
{ search } for  pid=3200 comm="wpa_supplicant" name="dbus" dev=dm-0 ino=5210246
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir

host=localhost.localdomain type=AVC msg=audit(1203588801.691:42): avc:  denied 
{ write } for  pid=3200 comm="wpa_supplicant" name="system_bus_socket" dev=dm-0
ino=5210224 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file

host=localhost.localdomain type=AVC msg=audit(1203588801.691:42): avc:  denied 
{ connectto } for  pid=3200 comm="wpa_supplicant"
path="/var/run/dbus/system_bus_socket"
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=unix_stream_socket

host=localhost.localdomain type=SYSCALL msg=audit(1203588801.691:42):
arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fff328010f0 a2=21
a3=30c49529f0 items=0 ppid=3199 pid=3200 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="wpa_supplicant"
exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

host=localhost.localdomain type=AVC msg=audit(1203588795.467:38): avc:  denied 
{ search } for  pid=3189 comm="NetworkManager" name="dbus" dev=dm-0 ino=5210246
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir

host=localhost.localdomain type=AVC msg=audit(1203588795.467:38): avc:  denied 
{ write } for  pid=3189 comm="NetworkManager" name="system_bus_socket" dev=dm-0
ino=5210224 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file

host=localhost.localdomain type=AVC msg=audit(1203588795.467:38): avc:  denied 
{ connectto } for  pid=3189 comm="NetworkManager"
path="/var/run/dbus/system_bus_socket"
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=unix_stream_socket

host=localhost.localdomain type=SYSCALL msg=audit(1203588795.467:38):
arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7fff9cac6220 a2=21 a3=0
items=0 ppid=1 pid=3189 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="NetworkManager" exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
Comment 11 Daniel Walsh 2008-02-21 10:21:57 EST
selinux-policy-3.0.8-85.fc8 was broken,

try

selinux-policy-3.0.8-87.fc8
Comment 12 Ignacio Vazquez-Abrams 2008-02-21 14:10:50 EST
Yep, that's done it. Thanks a bunch.
Comment 13 Orion Poplawski 2008-02-21 15:34:34 EST
Confirmed

Note You need to log in before you can comment on or make changes to this bug.