Bug 446969 - AVC messages when using new NetworkManager build
AVC messages when using new NetworkManager build
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 444522 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-16 15:36 EDT by drago01
Modified: 2008-07-05 12:23 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-05 12:23:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description drago01 2008-05-16 15:36:15 EDT
I installed NetworkManager-0.7.0-0.6.8.svn3669.fc8 from koji and now I get many
acvs like this (using selinux-policy-targeted-3.0.8-101.fc8) :
--------------
audit(1210964905.825:347): avc:  denied  { read } for  pid=2909
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[2909]: segfault at 18 rip 338ce72ffd rsp 7fff89d37340 error 4
audit(1210965025.823:348): avc:  denied  { read } for  pid=2992
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[2992]: segfault at 18 rip 338ce72ffd rsp 7fff6254fe40 error 4
audit(1210965145.822:349): avc:  denied  { read } for  pid=3075
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[3075]: segfault at 18 rip 338ce72ffd rsp 7fff2345ed50 error 4
audit(1210965265.825:350): avc:  denied  { read } for  pid=3165
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[3165]: segfault at 18 rip 338ce72ffd rsp 7fff65ff38e0 error 4
audit(1210965385.829:351): avc:  denied  { read } for  pid=3248
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[3248]: segfault at 18 rip 338ce72ffd rsp 7fffb0bb74b0 error 4
audit(1210965505.828:352): avc:  denied  { read } for  pid=3357
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[3357]: segfault at 18 rip 338ce72ffd rsp 7fff6a0d89d0 error 4
audit(1210965625.828:353): avc:  denied  { read } for  pid=3441
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[3441]: segfault at 18 rip 338ce72ffd rsp 7fff841eaae0 error 4
audit(1210965745.827:354): avc:  denied  { read } for  pid=3556
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[3556]: segfault at 18 rip 338ce72ffd rsp 7fff062a1b90 error 4
audit(1210965865.837:355): avc:  denied  { read } for  pid=3638
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
---------------
audit2allow -d output:


#============= hald_acl_t ==============
allow hald_acl_t self:unix_dgram_socket create;

#============= system_dbusd_t ==============
allow system_dbusd_t hald_var_lib_t:dir read;
Comment 1 Daniel Walsh 2008-05-16 16:48:04 EDT
How is nm-system-settings labelled?
Comment 2 drago01 2008-05-16 19:04:45 EDT
(In reply to comment #1)
> How is nm-system-settings labelled?
> 

ls -Z /usr/sbin/nm-system-settings
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/sbin/nm-system-settings
Comment 3 drago01 2008-05-17 05:36:53 EDT
some more avcs:
-------------------------
audit(1211015519.633:4): avc:  denied  { write } for  pid=2231
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.633:5): avc:  denied  { write } for  pid=2231
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.633:6): avc:  denied  { write } for  pid=2231
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.763:7): avc:  denied  { write } for  pid=2243
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.763:8): avc:  denied  { write } for  pid=2243
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211015519.763:9): avc:  denied  { write } for  pid=2243
comm="hal-acl-tool" name="log" dev=tmpfs ino=6532
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
----------------------------
audit2allow -d


#============= hald_acl_t ==============
allow hald_acl_t devlog_t:sock_file write;
Comment 4 Daniel Walsh 2008-05-19 14:27:05 EDT
That is wrong

/usr/sbin/nm-system-settings

should be labeled NetworkManager_exec_t

Does restorecon /usr/sbin/nm-system-settings 

fix the problem

The hald_acl_t sending syslog messages I have never seen before.

I will fix that in the next update.

Comment 5 James 2008-05-19 14:33:04 EDT
Not on mine (selinux-policy-targeted-3.0.8-101.fc8)

[root@rhapsody thesis]# /sbin/restorecon /usr/sbin/nm-system-settings
[root@rhapsody thesis]# ls -Z /usr/sbin/nm-system-settings
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/sbin/nm-system-settings
Comment 6 Dan Williams 2008-05-19 14:48:12 EDT
Dan: nm-system-settings is new in this update; will probably need policy copied
from F9.  I need to coordinate better with you with updates to NM so that policy
can get updated at the same time.
Comment 7 drago01 2008-05-20 16:15:16 EDT
with selinux-policy-targeted-3.0.8-105.fc8 from koji I still get:
audit(1211313858.286:4): avc:  denied  { read } for  pid=2098
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[2098]: segfault at 18 rip 338ce72ffd rsp 7fffa5e2d720 error 4
audit(1211313878.567:5): avc:  denied  { write } for  pid=2250
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.567:6): avc:  denied  { write } for  pid=2250
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.567:7): avc:  denied  { write } for  pid=2250
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.687:8): avc:  denied  { write } for  pid=2261
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.687:9): avc:  denied  { write } for  pid=2261
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313878.687:10): avc:  denied  { write } for  pid=2261
comm="hal-acl-tool" name="log" dev=tmpfs ino=6678
scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:devlog_t:s0
tclass=sock_file
audit(1211313901.607:11): avc:  denied  { read } for  pid=2471
comm="nm-system-setti" name="PolicyKit" dev=sda2 ino=7864839
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir
nm-system-setti[2471]: segfault at 18 rip 338ce72ffd rsp 7fffbdb59450 error 4
-------------------
audit2allow -d


#============= NetworkManager_t ==============
allow NetworkManager_t hald_var_lib_t:dir read;

#============= hald_acl_t ==============
allow hald_acl_t devlog_t:sock_file write;
-------------------
ls -Z /usr/sbin/nm-system-settings
-rwxr-xr-x  root root system_u:object_r:NetworkManager_exec_t
/usr/sbin/nm-system-settings


additionally I also get a message about dbus-launcher on policy load

Comment 8 Daniel Walsh 2008-05-20 17:28:34 EDT
Fixed in selinux-policy-3.0.8-106.fc8
Comment 9 drago01 2008-05-22 16:08:06 EDT
I installed this an I am still getting 
--------------------
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /lib/dbus-1/dbus-daemon-launch-helper 
(system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /lib64/dbus-1/dbus-daemon-launch-helper 
(system_u:object_r:system_dbusd_exec_t:s0 and system_u:object_r:bin_t:s0).
---------------------
on policy load 

cat  /etc/selinux/targeted/contexts/files/file_contexts | grep dbus
shows: 
---------------
/etc/dbus-1(/.*)?       system_u:object_r:dbusd_etc_t:s0
/var/lib/dbus(/.*)?     system_u:object_r:system_dbusd_var_lib_t:s0
/var/run/dbus(/.*)?     system_u:object_r:system_dbusd_var_run_t:s0
/usr/bin/dbus-daemon(-1)?       --      system_u:object_r:system_dbusd_exec_t:s0
/var/named/chroot/var/run/dbus(/.*)?    system_u:object_r:system_dbusd_var_run_t:s0
/bin/dbus-daemon        --      system_u:object_r:system_dbusd_exec_t:s0
/lib/dbus-1/dbus-daemon-launch-helper   --      system_u:object_r:bin_t:s0
/lib/dbus-1/dbus-daemon-launch-helper   --     
system_u:object_r:system_dbusd_exec_t:s0
/lib64/dbus-1/dbus-daemon-launch-helper --      system_u:object_r:bin_t:s0
/lib64/dbus-1/dbus-daemon-launch-helper --      system_u:object_r:system_dbusd_e
-------------------
there are indeed two contexts bin_t and system_dbusd_exec_t 
Comment 10 drago01 2008-05-22 16:15:30 EDT
forgot to add the avcs are indeed fixed now.
Comment 11 drago01 2008-05-23 14:33:03 EDT
the dbus issue seems to be the reason for nm-system-settings segfaulting ... it
does not happen when I start it by hand or when I let dbus start it in
permissive mode.
Comment 12 Daniel Walsh 2008-05-27 08:36:15 EDT
Fixed file context in selinux-policy-3.0.8-107.fc8
Comment 13 drago01 2008-05-29 16:50:42 EDT
Using selinux-policy-3.0.8-109.fc8 everything seems to work fine. And
nm-system-settings no longer segfaults.
Comment 14 Orion Poplawski 2008-06-02 18:48:46 EDT
*** Bug 444522 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.