Bug 442217 - Incorrect Selinux file contexts for NetworkManager
Incorrect Selinux file contexts for NetworkManager
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-12 17:53 EDT by Naresh
Modified: 2008-04-14 10:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-14 10:50:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Naresh 2008-04-12 17:53:45 EDT

SELinux is preventing NetworkManagerD (NetworkManager_t) "getattr" to
/etc/NetworkManager/dispatcher.d/00-netreport (unlabeled_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by NetworkManagerD. It is not expected that this
access is required by NetworkManagerD and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for

restorecon -v '/etc/NetworkManager/dispatcher.d/00-netreport'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /etc/NetworkManager/dispatcher.d/00-netreport [
                              file ]
Source                        NetworkManagerD
Source Path                   /usr/sbin/NetworkManagerDispatcher
Port                          <Unknown>
Host                          fallenAngel
Source RPM Packages           NetworkManager-0.7.0-0.9.1.svn3549.fc9
Target RPM Packages           initscripts-8.69-1
Policy RPM                    selinux-policy-3.3.1-33.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     fallenAngel
Platform                      Linux fallenAngel 2.6.25-0.218.rc8.git7.fc9.i686
                              #1 SMP Wed Apr 9 20:35:56 EDT 2008 i686 i686
Alert Count                   23
First Seen                    Sat 12 Apr 2008 08:30:59 AM IST
Last Seen                     Sun 13 Apr 2008 03:15:00 AM IST
Local ID                      6f82cae3-355e-4b04-ac4a-6ac6fd926150
Line Numbers                  

Raw Audit Messages            

host=fallenAngel type=AVC msg=audit(1208036700.180:32): avc:  denied  { getattr
} for  pid=2306 comm="NetworkManagerD"
path="/etc/NetworkManager/dispatcher.d/00-netreport" dev=sda3 ino=188968
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

host=fallenAngel type=SYSCALL msg=audit(1208036700.180:32): arch=40000003
syscall=195 success=yes exit=0 a0=9cae140 a1=bfe545b4 a2=2c9ff4 a3=9cbbf03
items=0 ppid=1 pid=2306 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManagerD"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)

====== Additional Details =======

[root@fallenAngel ~]# /sbin/fixfiles check
/etc/selinux/targeted/contexts/files/file_contexts:  line 1340 has invalid
context system_u:object_r:NetworkManager_script_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 2087 has invalid
context system_u:object_r:audisp_remote_exec_t:s0

[root@fallenAngel ~]# rpm -qf /etc/selinux/targeted/contexts/files/file_contexts

[root@fallenAngel dispatcher.d]# ls -lZ
-rwxr-xr-x  root root system_u:object_r:unlabeled_t:s0 00-netreport
-rwxr-xr-x  root root system_u:object_r:unlabeled_t:s0 05-netfs

[root@fallenAngel dispatcher.d]# pwd

=> I am unable to label those two files for some reason, because of this i need
to work in 'permissive' mode
Comment 1 Warren Togami 2008-04-13 20:17:02 EDT

This was added very recently right?  Owned by initscripts.
Comment 2 Naresh 2008-04-13 20:48:44 EDT
Yea, owned by initscripts

[nareshv@fallenAngel ~]$ rpm -qf /etc/NetworkManager/dispatcher.d/00-netreport
Comment 3 Daniel Walsh 2008-04-14 09:29:23 EDT
This looks like you have the wrong policy loaded.  Do you have multiple policy
files in /etc/selinux/targeted/policy?

If yead remove the lower number one and execute load_policy.

The unlabled_t should disappear.

Does this solve your problem?
Comment 4 Naresh 2008-04-14 10:21:25 EDT
Yea seems i have two policy files present in the above directory.

[nareshv@fallenAngel policy]$ ls -l
total 7176
-rw-r--r-- 1 root root 3551052 2008-04-12 12:04 policy.22
-rw-r--r-- 1 root root 3785292 2008-04-12 07:39 policy.23

Not sure how two came up, i did a fresh install from F9-Beta DVD and upgraded to
the latest rawhide. its kinda wierd.

Lemme delete policy.22 and try again.
Comment 5 Naresh 2008-04-14 10:28:41 EDT
seems that did the trick.

[root@fallenAngel dispatcher.d]# ls -lZ
-rwxr-xr-x  root root system_u:object_r:NetworkManager_script_exec_t:s0 00-netreport
-rwxr-xr-x  root root system_u:object_r:NetworkManager_script_exec_t:s0 05-netfs

many thanks.
Comment 6 Daniel Walsh 2008-04-14 10:50:05 EDT
Not sure there is a good way to fix this,  As this is an issue of the toolchain
being different then what is in the upstart initrd.  Removing the file seems to
fix the problem.  The file will not be created again since the tool chain only
creates the latest.

Note You need to log in before you can comment on or make changes to this bug.