Bug 444522 - Need new SElinux rules for new NetworkManager dispatcher
Summary: Need new SElinux rules for new NetworkManager dispatcher
Keywords:
Status: CLOSED DUPLICATE of bug 446969
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-28 20:45 UTC by Orion Poplawski
Modified: 2008-06-02 22:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-02 22:48:45 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Orion Poplawski 2008-04-28 20:45:18 UTC 
Description of problem:

* Sun Apr 27 2008 Dan Williams <dcbw> - 1:0.7.0-0.6.7.svn3614
- Replace dispatcher daemon with D-Bus activated callout

This is going to need some SElinux support to work.

In permissive:

Apr 28 14:27:18 eule kernel: audit(1209414438.367:4): avc:  denied  { setpgid }
for  pid=2479 comm="nm-dispatcher.a" scontext=system_u:system_r:system_dbusd_t:s
0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process
Apr 28 14:27:18 eule kernel: audit(1209414438.383:5): avc:  denied  { execute }
for  pid=2479 comm="nm-dispatcher.a" name="bash" dev=sda5 ino=1114143 scontext=s
ystem_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tc
lass=file
Apr 28 14:27:18 eule nm-dispatcher.action: Could not run script '/etc/NetworkMan
ager/dispatcher.d/cora': (3) Failed to execute child process "/etc/NetworkManage
r/dispatcher.d/cora" (Permission denied)

In enforcing I get:

Apr 28 14:31:28 eule kernel: audit(1209414688.146:3): avc:  denied  { setpgid }
for  pid=2489 comm="nm-dispatcher.a" scontext=system_u:system_r:system_dbusd_t:s
0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process
Apr 28 14:31:28 eule kernel: audit(1209414688.170:4): avc:  denied  { execute }
for  pid=2489 comm="nm-dispatcher.a" name="bash" dev=sda5 ino=1114143 scontext=s
ystem_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tc
lass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.170:5): avc:  denied  { read } for
  pid=2489 comm="nm-dispatcher.a" name="bash" dev=sda5 ino=1114143 scontext=syst
em_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclas
s=file
Apr 28 14:31:28 eule kernel: audit(1209414688.173:6): avc:  denied  { getattr }
for  pid=2489 comm="cora" path="/etc/rc.d/init.d/ypbind" dev=sda5 ino=1279231 sc
ontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:initrc_exe
c_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.173:7): avc:  denied  { execute }
for  pid=2489 comm="cora" name="ypbind" dev=sda5 ino=1279231 scontext=system_u:s
ystem_r:system_dbusd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=fil
e
Apr 28 14:31:28 eule kernel: audit(1209414688.193:8): avc:  denied  { execute }
for  pid=2492 comm="service" name="consoletype" dev=sda5 ino=1081407 scontext=sy
stem_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:consoletype_exec_t:
s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.193:9): avc:  denied  { read } for
  pid=2492 comm="service" name="consoletype" dev=sda5 ino=1081407 scontext=syste
m_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0
tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.193:10): avc:  denied  { execute_n
o_trans } for  pid=2492 comm="service" path="/sbin/consoletype" dev=sda5 ino=108
1407 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:con
soletype_exec_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.193:11): avc:  denied  { getattr }
 for  pid=2492 comm="consoletype" path="pipe:[10018]" dev=pipefs ino=10018 scont
ext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_
t:s0 tclass=fifo_file
Apr 28 14:31:28 eule kernel: audit(1209414688.250:12): avc:  denied  { read } fo
r  pid=2497 comm="env" name="ypbind" dev=sda5 ino=1279231 scontext=system_u:syst
em_r:system_dbusd_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.250:13): avc:  denied  { execute_n
o_trans } for  pid=2497 comm="env" path="/etc/rc.d/init.d/ypbind" dev=sda5 ino=1
279231 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:i
nitrc_exec_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.253:14): avc:  denied  { ioctl } f
or  pid=2497 comm="ypbind" path="/etc/rc.d/init.d/ypbind" dev=sda5 ino=1279231 s
context=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:initrc_ex
ec_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.279:15): avc:  denied  { search }
for  pid=2503 comm="pidof" name="1" dev=proc ino=267 scontext=system_u:system_r:
system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
Apr 28 14:31:28 eule kernel: audit(1209414688.280:16): avc:  denied  { read } fo
r  pid=2503 comm="pidof" name="stat" dev=proc ino=1651 scontext=system_u:system_
r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.280:17): avc:  denied  { getattr }
 for  pid=2503 comm="pidof" path="/proc/1/stat" dev=proc ino=1651 scontext=syste
m_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.280:18): avc:  denied  { read } fo
r  pid=2503 comm="pidof" name="exe" dev=proc ino=1653 scontext=system_u:system_r
:system_dbusd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
Apr 28 14:31:28 eule kernel: audit(1209414688.280:19): avc:  denied  { ptrace }
for  pid=2503 comm="pidof" scontext=system_u:system_r:system_dbusd_t:s0 tcontext
=system_u:system_r:init_t:s0 tclass=process

the pidof repeat for all processes...

Apr 28 14:31:28 eule kernel: audit(1209414688.345:181): avc:  denied  { getattr
} for  pid=2524 comm="ypbind" path="/bin/hostname" dev=sda5 ino=1114322 scontext
=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hostname_exec_t:
s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.345:182): avc:  denied  { execute
} for  pid=2524 comm="ypbind" name="hostname" dev=sda5 ino=1114322 scontext=syst
em_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tc
lass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.345:183): avc:  denied  { read } f
or  pid=2524 comm="ypbind" name="hostname" dev=sda5 ino=1114322 scontext=system_
u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclas
s=file
Apr 28 14:31:28 eule kernel: audit(1209414688.345:184): avc:  denied  { execute_
no_trans } for  pid=2524 comm="ypbind" path="/bin/hostname" dev=sda5 ino=1114322
 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hostnam
e_exec_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.410:185): avc:  denied  { getattr
} for  pid=2513 comm="ypbind" path="/etc/selinux/targeted/modules/active/boolean
s.local" dev=sda5 ino=1280183 scontext=system_u:system_r:system_dbusd_t:s0 tcont
ext=system_u:object_r:semanage_store_t:s0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.410:186): avc:  denied  { read } f
or  pid=2513 comm="ypbind" name="booleans.local" dev=sda5 ino=1280183 scontext=s
ystem_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:semanage_store_t:s
0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.694:187): avc:  denied  { ioctl }
for  pid=2528 comm="dhcpdomain" path="pipe:[10101]" dev=pipefs ino=10101 scontex
t=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:
s0 tclass=fifo_file
Apr 28 14:31:28 eule kernel: audit(1209414688.716:188): avc:  denied  { execute
} for  pid=2533 comm="dhcpdomain" name="ifconfig" dev=sda5 ino=1081362 scontext=
system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s
0 tclass=file
Apr 28 14:31:28 eule kernel: audit(1209414688.716:189): avc:  denied  { read } f
or  pid=2533 comm="dhcpdomain" name="ifconfig" dev=sda5 ino=1081362 scontext=sys
tem_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 t
class=file

and lots more....


Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.6.7.svn3614.fc8
Comment 1 Orion Poplawski 2008-04-28 20:46:14 UTC 
Sorry, swapped permissive and enforcing above...
Comment 2 Orion Poplawski 2008-05-19 18:08:09 UTC 
Some new issues (in addition to above) with 3669:

May 19 11:40:47 cynosure nm-system-settings: polkit_error_get_error_message:
assertion `error != NULL' failed
May 19 11:40:47 cynosure nm-system-settings: Cannot initialize libpolkit: (null)
May 19 11:40:47 cynosure nm-system-settings: polkit_error_free: assertion `error
!= NULL' failed
May 19 11:40:47 cynosure kernel: audit(1211218847.066:4): avc:  denied  { read }
for  pid=2372 comm="nm-system-setti" name="PolicyKit" dev=sda7 ino=63851
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
May 19 11:41:05 cynosure kernel: audit(1211218865.444:5): avc:  denied  { create
} for  pid=2455 comm="hal-acl-tool" scontext=system_u:system_r:hald_acl_t:s0
tcontext=system_u:system_r:hald_acl_t:s0 tclass=unix_dgram_socket
Comment 3 Orion Poplawski 2008-06-02 17:27:18 UTC 
selinux-policy-3.0.8-109.fc8 looks good now.  Only denial I see (and no idea if
this is causing any trouble) is:

type=1400 audit(1212424838.730:4): avc:  denied  { read } for  pid=2564
comm="nm-system-setti" name="PolicyKit.reload" dev=sda7 ino=63931
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:system_crond_var_lib_t:s0 tclass=file

which may be related to using PolicyKit-0.7-4.fc8.hughsie from the "utopia" repo:

[utopia]
name=Utopia experimental for FC $releasever ($basearch)
baseurl=http://people.freedesktop.org/~hughsient/fedora/$releasever/$basearch/
enabled=1
gpgcheck=0
Comment 4 Orion Poplawski 2008-06-02 22:48:45 UTC 

*** This bug has been marked as a duplicate of 446969 ***
Note You need to log in before you can comment on or make changes to this bug.