Bug 441866 - SELinux is preventing 05-netfs (NetworkManager_t) "getattr" to /var/lock/subsys/netfs (var_lock_t).
Summary: SELinux is preventing 05-netfs (NetworkManager_t) "getattr" to /var/lock/subs...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-10 16:18 UTC by Anne
Modified: 2008-04-11 16:05 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2008-04-11 16:05:57 UTC

Attachments (Terms of Use)

Description Anne 2008-04-10 16:18:45 UTC
Description of problem:
Multiple momentary drop-outs of cabled (static IP) network connection.

Version-Release number of selected component (if applicable):

How reproducible:

Happens at fairly frequent intervals, throughout the working session

Steps to Reproduce:
1.Work normally
Actual results:

Network is dropped, and an AVC warning comes up.  Immediately afterwards the
network re-starts.

Expected results:

Constant, steady connection.
Additional info:

Source Context:  system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context:  unconfined_u:object_r:boot_t:s0
Target Objects:  menu.lst [ lnk_file ]
Source:  kdmSource Path:  /usr/bin/kdmPort:  <Unknown>
Host:  david.lydgate.lan
Source RPM Packages:  kdebase-workspace-4.0.3-7.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-31.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  catchall_file
Host Name:  david.lydgate.lan
Platform:  Linux david.lydgate.lan 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr
7 11:33:46 EDT 2008 i686 athlon
Alert Count:  1
First Seen:  Thu 10 Apr 2008 04:50:26 PM BST
Last Seen:  Thu 10 Apr 2008 04:50:26 PM BST
Local ID:  98f3a649-1ebb-45eb-9634-b65ecdfae77c
Line Numbers:  

Raw Audit Messages :host=david.lydgate.lan type=AVC
msg=audit(1207842626.502:62): avc: denied { read } for pid=2505 comm="kdm"
name="menu.lst" dev=sda1 ino=26108
tcontext=unconfined_u:object_r:boot_t:s0 tclass=lnk_file host=david.lydgate.lan
type=AVC msg=audit(1207842626.502:62): avc: denied { read } for pid=2505
comm="kdm" name="grub.conf" dev=sda1 ino=26107
tcontext=unconfined_u:object_r:boot_t:s0 tclass=file 

host=david.lydgate.lan type=SYSCALL msg=audit(1207842626.502:62): arch=40000003
syscall=5 success=yes exit=10 a0=806694b a1=8000 a2=1b6 a3=0 items=0 ppid=1
pid=2505 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="kdm" exe="/usr/bin/kdm"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-04-10 19:40:29 UTC
The heading and the AVC's you attach have nothing to do with each other.

The heading should be fixed in the latest policy, you might need to restorecon
the /etc/NetworkManager directory

restorecon -R -v /etc/NetworkManager

The avc you are reporting kdm tryng to read a lnk_file boot.conf file.

Comment 2 Anne 2008-04-11 10:06:17 UTC
Apologies - focus change that I hadn't noticed.

I've followed your instructions, and so far haven't seen the problem.  If it
recurs I'll append the correct AVC info.

Note You need to log in before you can comment on or make changes to this bug.