Running F8 plus updates-testing. Recent NetworkManager update adds a system settings daemon, but selinux is blocking dbus messages. In enforcing: audit(1203012714.496:4): avc: denied { getattr } for pid=2558 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir audit(1203012714.498:5): user pid=1918 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.9 spid=2558 tpid=2493 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus audit(1203012714.499:6): user pid=1918 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.9 spid=2558 tpid=2493 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus audit(1203012714.545:7): user pid=1918 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManagerSettings member=NewConnection dest=org.freedesktop.DBus spid=2558 tpid=2493 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus audit(1203012714.546:8): user pid=1918 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManagerSettings member=NewConnection dest=org.freedesktop.DBus spid=2558 tpid=2493 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus audit(1203012828.781:10): user pid=1918 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.17 spid=2558 tpid=2821 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus system_u:system_r:system_dbusd_t:s0 dbus 1918 1 0 11:11 ? 00:00:00 dbus-daemon --system /usr/sbin/nm-system-settings --config /etc/nm-system-settings.conf NM reports: Feb 14 11:12:19 cynosure NetworkManager: <WARN> list_connections_cb(): Couldn't retrieve connections: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.. I'll reboot in permissive mode and capture those messages. NetworkManager-0.7.0-0.6.7.svn3302.fc8 selinux-policy-3.0.8-84.fc8
In permissive on boot I get: audit(1203014203.129:3): avc: denied { getattr } for pid=2546 comm="nm-system-setti" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir audit(1203014203.131:4): user pid=1909 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.9 spid=2546 tpid=2481 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus this comes after login: audit(1203014311.087:7): user pid=1909 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.21 spid=2546 tpid=3044 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus
Yeah, the system settings daemon on F8 needs to: 1) talk to inotify 2) talk over D-Bus with the included D-Bus policy 3) Have read (and eventually write) access to /etc/sysconfig/networking/profiles/* 3) Have read access to /etc/sysconfig/network 5) Have read access to /etc/nm-system-settings.conf 6) Be able to dlopen() modules from /usr/lib/NetworkManager/ That should be it; if it requires anything else it's a bug. Should be able to be pretty tightly confined.
Not just F8, rawhide too I might add.
Rawhide policy can do all this. I take it a new version of networkmanager just hit F8?
Fixed in selinux-policy-3.0.8-85.fc8
Created attachment 295319 [details] NM crash from /var/log/messages With selinux-policy-3.0.8-85.fc8, NM cannot talk to dbus at all and crashes. Interestingly, there are some denials for gdb when NM generates a backtrace.
I just ran your messages through audit2why and it says the dbus messages should be allowed. The gdb messages are not because selinux does not understand why gdm was running as NetworkManager.
NM catches segfaults and attempts to log them to syslog, which basically spawns gdb with a script to get a backtrace, and if that fails, tries to use pstack to get one instead.
I get audit(1203444814.169:4): avc: denied { search } for pid=2381 comm="NetworkManagerD" name="dbus" dev=sda9 ino=63248 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. audit(1203444833.685:5): avc: denied { search } for pid=2491 comm="NetworkManager" name="dbus" dev=sda9 ino=63248 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. Not sure what booleans would be involved.
Seeing the dbus denials when starting the NetworkManager service as well with: NetworkManager-0.7.0-0.6.7.svn3235.fc8 selinux-policy-3.0.8-85.fc8 Permissive mode results in the following: host=localhost.localdomain type=AVC msg=audit(1203588801.555:41): avc: denied { read } for pid=3200 comm="wpa_supplicant" path="/etc/dbus-1/system.d" dev=dm-0 ino=1377022 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1203588801.555:41): arch=c000003e syscall=59 success=yes exit=0 a0=60c750 a1=60b570 a2=60b010 a3=30c49529f0 items=0 ppid=3199 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null) host=localhost.localdomain type=AVC msg=audit(1203588801.691:42): avc: denied { search } for pid=3200 comm="wpa_supplicant" name="dbus" dev=dm-0 ino=5210246 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir host=localhost.localdomain type=AVC msg=audit(1203588801.691:42): avc: denied { write } for pid=3200 comm="wpa_supplicant" name="system_bus_socket" dev=dm-0 ino=5210224 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file host=localhost.localdomain type=AVC msg=audit(1203588801.691:42): avc: denied { connectto } for pid=3200 comm="wpa_supplicant" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=SYSCALL msg=audit(1203588801.691:42): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fff328010f0 a2=21 a3=30c49529f0 items=0 ppid=3199 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null) host=localhost.localdomain type=AVC msg=audit(1203588795.467:38): avc: denied { search } for pid=3189 comm="NetworkManager" name="dbus" dev=dm-0 ino=5210246 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir host=localhost.localdomain type=AVC msg=audit(1203588795.467:38): avc: denied { write } for pid=3189 comm="NetworkManager" name="system_bus_socket" dev=dm-0 ino=5210224 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file host=localhost.localdomain type=AVC msg=audit(1203588795.467:38): avc: denied { connectto } for pid=3189 comm="NetworkManager" path="/var/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=SYSCALL msg=audit(1203588795.467:38): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7fff9cac6220 a2=21 a3=0 items=0 ppid=1 pid=3189 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
selinux-policy-3.0.8-85.fc8 was broken, try selinux-policy-3.0.8-87.fc8
Yep, that's done it. Thanks a bunch.
Confirmed