Bug 464615 - SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unknown> (NetworkManager_t).
SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unkno...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
medium Severity medium
: beta
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-29 14:27 EDT by Suzanne Hillman
Modified: 2008-09-29 18:17 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-29 15:16:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Suzanne Hillman 2008-09-29 14:27:34 EDT
Description of problem:
SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unknown> (NetworkManager_t). This happens every time I plug in the ethernet cable and it connects to it (also when it first connects on a start).

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-158.el5
NetworkManager-0.7.0-0.11.svn4082.el5
dbus-1.1.2-10.el5

How reproducible:
Always

Steps to Reproduce:
1. Start NetworkManager
2. If not already connected, plug in a network cable.
3. If not already enabled, enable "Auto Ethernet".
  
Actual results:
aforementioned selunix denial

Expected results:
No denial

Additional info:

Raw Audit Messages :host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222712955.594:398): avc: denied { sys_admin } for pid=4330 comm="NetworkManager" capability=21 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222712955.594:398): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bff843c8 items=0 ppid=1 pid=4330 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=user_u:system_r:NetworkManager_t:s0 key=(null)
Comment 1 Suzanne Hillman 2008-09-29 14:32:55 EDT
Possibly related; less clearly so (can't tell what's causing it):

host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222710360.1:307): avc: denied { sys_admin } for pid=3386 comm="NetworkManager" capability=21 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222710360.1:307): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bfab2a58 items=0 ppid=1 pid=3386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) 

and

host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222457473.789:37): avc: denied { sys_admin } for pid=3964 comm="NetworkManager" capability=21 scontext=root:system_r:NetworkManager_t:s0 tcontext=root:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222457473.789:37): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bfd9c208 items=0 ppid=1 pid=3964 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=root:system_r:NetworkManager_t:s0 key=(null)
Comment 3 Daniel Walsh 2008-09-29 15:16:25 EDT
I have been told that this is the wrong version of Network Manager, the one that will ship will not be setting the hostname and will not need this priv.
Comment 4 Dan Williams 2008-09-29 18:17:31 EDT
Yeah, svn4088 or later turns off hostname updates.  4088 is what's attached to the errata, apparently it's not getting pulled into the composes.

Note You need to log in before you can comment on or make changes to this bug.