I installed NetworkManager-0.7.0-0.6.8.svn3669.fc8 from koji and now I get many acvs like this (using selinux-policy-targeted-3.0.8-101.fc8) : -------------- audit(1210964905.825:347): avc: denied { read } for pid=2909 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2909]: segfault at 18 rip 338ce72ffd rsp 7fff89d37340 error 4 audit(1210965025.823:348): avc: denied { read } for pid=2992 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2992]: segfault at 18 rip 338ce72ffd rsp 7fff6254fe40 error 4 audit(1210965145.822:349): avc: denied { read } for pid=3075 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3075]: segfault at 18 rip 338ce72ffd rsp 7fff2345ed50 error 4 audit(1210965265.825:350): avc: denied { read } for pid=3165 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3165]: segfault at 18 rip 338ce72ffd rsp 7fff65ff38e0 error 4 audit(1210965385.829:351): avc: denied { read } for pid=3248 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3248]: segfault at 18 rip 338ce72ffd rsp 7fffb0bb74b0 error 4 audit(1210965505.828:352): avc: denied { read } for pid=3357 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3357]: segfault at 18 rip 338ce72ffd rsp 7fff6a0d89d0 error 4 audit(1210965625.828:353): avc: denied { read } for pid=3441 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3441]: segfault at 18 rip 338ce72ffd rsp 7fff841eaae0 error 4 audit(1210965745.827:354): avc: denied { read } for pid=3556 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[3556]: segfault at 18 rip 338ce72ffd rsp 7fff062a1b90 error 4 audit(1210965865.837:355): avc: denied { read } for pid=3638 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir --------------- audit2allow -d output: #============= hald_acl_t ============== allow hald_acl_t self:unix_dgram_socket create; #============= system_dbusd_t ============== allow system_dbusd_t hald_var_lib_t:dir read;
How is nm-system-settings labelled?
(In reply to comment #1) > How is nm-system-settings labelled? > ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:bin_t /usr/sbin/nm-system-settings
some more avcs: ------------------------- audit(1211015519.633:4): avc: denied { write } for pid=2231 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.633:5): avc: denied { write } for pid=2231 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.633:6): avc: denied { write } for pid=2231 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.763:7): avc: denied { write } for pid=2243 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.763:8): avc: denied { write } for pid=2243 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211015519.763:9): avc: denied { write } for pid=2243 comm="hal-acl-tool" name="log" dev=tmpfs ino=6532 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file ---------------------------- audit2allow -d #============= hald_acl_t ============== allow hald_acl_t devlog_t:sock_file write;
That is wrong /usr/sbin/nm-system-settings should be labeled NetworkManager_exec_t Does restorecon /usr/sbin/nm-system-settings fix the problem The hald_acl_t sending syslog messages I have never seen before. I will fix that in the next update.
Not on mine (selinux-policy-targeted-3.0.8-101.fc8) [root@rhapsody thesis]# /sbin/restorecon /usr/sbin/nm-system-settings [root@rhapsody thesis]# ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/sbin/nm-system-settings
Dan: nm-system-settings is new in this update; will probably need policy copied from F9. I need to coordinate better with you with updates to NM so that policy can get updated at the same time.
with selinux-policy-targeted-3.0.8-105.fc8 from koji I still get: audit(1211313858.286:4): avc: denied { read } for pid=2098 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2098]: segfault at 18 rip 338ce72ffd rsp 7fffa5e2d720 error 4 audit(1211313878.567:5): avc: denied { write } for pid=2250 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.567:6): avc: denied { write } for pid=2250 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.567:7): avc: denied { write } for pid=2250 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.687:8): avc: denied { write } for pid=2261 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.687:9): avc: denied { write } for pid=2261 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313878.687:10): avc: denied { write } for pid=2261 comm="hal-acl-tool" name="log" dev=tmpfs ino=6678 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file audit(1211313901.607:11): avc: denied { read } for pid=2471 comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir nm-system-setti[2471]: segfault at 18 rip 338ce72ffd rsp 7fffbdb59450 error 4 ------------------- audit2allow -d #============= NetworkManager_t ============== allow NetworkManager_t hald_var_lib_t:dir read; #============= hald_acl_t ============== allow hald_acl_t devlog_t:sock_file write; ------------------- ls -Z /usr/sbin/nm-system-settings -rwxr-xr-x root root system_u:object_r:NetworkManager_exec_t /usr/sbin/nm-system-settings additionally I also get a message about dbus-launcher on policy load
Fixed in selinux-policy-3.0.8-106.fc8
I installed this an I am still getting -------------------- /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /lib/dbus-1/dbus-daemon-launch-helper (system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /lib64/dbus-1/dbus-daemon-launch-helper (system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0). --------------------- on policy load cat /etc/selinux/targeted/contexts/files/file_contexts | grep dbus shows: --------------- /etc/dbus-1(/.*)? system_u:object_r:dbusd_etc_t:s0 /var/lib/dbus(/.*)? system_u:object_r:system_dbusd_var_lib_t:s0 /var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 /usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0 /var/named/chroot/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 /bin/dbus-daemon -- system_u:object_r:system_dbusd_exec_t:s0 /lib/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:bin_t:s0 /lib/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:system_dbusd_exec_t:s0 /lib64/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:bin_t:s0 /lib64/dbus-1/dbus-daemon-launch-helper -- system_u:object_r:system_dbusd_e ------------------- there are indeed two contexts bin_t and system_dbusd_exec_t
forgot to add the avcs are indeed fixed now.
the dbus issue seems to be the reason for nm-system-settings segfaulting ... it does not happen when I start it by hand or when I let dbus start it in permissive mode.
Fixed file context in selinux-policy-3.0.8-107.fc8
Using selinux-policy-3.0.8-109.fc8 everything seems to work fine. And nm-system-settings no longer segfaults.
*** Bug 444522 has been marked as a duplicate of this bug. ***