Bug 441095 - denied write runlevel utmp for NetworkManager on interface activation
denied write runlevel utmp for NetworkManager on interface activation
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-06 00:09 EDT by Orion Poplawski
Modified: 2008-04-10 15:00 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-09 08:27:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-04-06 00:09:17 EDT
Description of problem:

Apr  5 21:33:46 bona NetworkManager: <info>  Policy set (eth1) as default device
for routing and DNS.
Apr  5 21:33:46 bona NetworkManager: <info>  Activation (eth1) successful,
device activated.
Apr  5 21:33:46 bona NetworkManager: <info>  Activation (eth1) Stage 5 of 5 (IP
Configure Commit) complete.
Apr  5 21:33:46 bona kernel: type=1400 audit(1207452826.658:89): avc:  denied  {
write } for  pid=3533 comm="runlevel" name="utmp" dev=sda5 ino=8009
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.9.1.svn3521.fc9.i386
selinux-policy-3.3.1-26.fc9.noarch
Comment 1 archimerged Ark submedes 2008-04-08 20:54:05 EDT
$ cat /sbin/runlevel
#!/bin/bash
( date; ps -ef; echo runlevel "$@"; ls --lcontext /var/run/utmp )
>/tmp/runlevel-ps-ef-$( date --iso=sec | tr T: .. )
/sbin/runlevel-orig "$@"

Running in permissive mode.  Otherwise the /tmp/ file couldn't be created either.  

root      2240     1  0 20:28 ?        00:00:00 NetworkManagerDispatcher
--pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
root      2343  2240  0 20:28 ?        00:00:00 /bin/sh
/etc/NetworkManager/dispatcher.d/05-netfs eth0 up
root      2347  2343  0 20:28 ?        00:00:00 /sbin/chkconfig netfs
root      2348  2347  0 20:28 ?        00:00:00 /bin/bash /sbin/runlevel
root      2349  2348  0 20:28 ?        00:00:00 /bin/bash /sbin/runlevel
root      2354  2349  0 20:28 ?        00:00:00 ps -ef


Clearly NMdispatcher is running 05-netfs which calls chkconfig netfs which calls
runlevel, which gets the avc denial.
Comment 2 Daniel Walsh 2008-04-09 08:27:18 EDT
Please update to the latest selinux policy

Fixed in selinux-policy-3.3.1-30.fc9
Comment 3 archimerged Ark submedes 2008-04-10 15:00:20 EDT
Works in Rawhide-2008-04-09

Note You need to log in before you can comment on or make changes to this bug.