Bug 464615 - SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unknown> (NetworkManager_t).
Summary: SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unkno...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: beta
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-29 18:27 UTC by Suzanne Hillman
Modified: 2008-09-29 22:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-29 19:16:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Suzanne Hillman 2008-09-29 18:27:34 UTC 
Description of problem:
SELinux is preventing NetworkManager (NetworkManager_t) "sys_admin" to <Unknown> (NetworkManager_t). This happens every time I plug in the ethernet cable and it connects to it (also when it first connects on a start).

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-158.el5
NetworkManager-0.7.0-0.11.svn4082.el5
dbus-1.1.2-10.el5

How reproducible:
Always

Steps to Reproduce:
1. Start NetworkManager
2. If not already connected, plug in a network cable.
3. If not already enabled, enable "Auto Ethernet".
  
Actual results:
aforementioned selunix denial

Expected results:
No denial

Additional info:

Raw Audit Messages :host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222712955.594:398): avc: denied { sys_admin } for pid=4330 comm="NetworkManager" capability=21 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222712955.594:398): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bff843c8 items=0 ppid=1 pid=4330 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=user_u:system_r:NetworkManager_t:s0 key=(null)
Comment 1 Suzanne Hillman 2008-09-29 18:32:55 UTC 
Possibly related; less clearly so (can't tell what's causing it):

host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222710360.1:307): avc: denied { sys_admin } for pid=3386 comm="NetworkManager" capability=21 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222710360.1:307): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bfab2a58 items=0 ppid=1 pid=3386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) 

and

host=dhcp-100-2-166.bos.redhat.com type=AVC msg=audit(1222457473.789:37): avc: denied { sys_admin } for pid=3964 comm="NetworkManager" capability=21 scontext=root:system_r:NetworkManager_t:s0 tcontext=root:system_r:NetworkManager_t:s0 tclass=capability 

host=dhcp-100-2-166.bos.redhat.com type=SYSCALL msg=audit(1222457473.789:37): arch=40000003 syscall=74 success=no exit=-1 a0=80aecba a1=15 a2=0 a3=bfd9c208 items=0 ppid=1 pid=3964 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=root:system_r:NetworkManager_t:s0 key=(null)
Comment 3 Daniel Walsh 2008-09-29 19:16:25 UTC 
I have been told that this is the wrong version of Network Manager, the one that will ship will not be setting the hostname and will not need this priv.
Comment 4 Dan Williams 2008-09-29 22:17:31 UTC 
Yeah, svn4088 or later turns off hostname updates.  4088 is what's attached to the errata, apparently it's not getting pulled into the composes.
Note You need to log in before you can comment on or make changes to this bug.