Bug 467583 - SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (hald_var_lib_t).
SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKi...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-10-18 17:54 EDT by Paul Long
Modified: 2008-11-11 17:04 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-11 17:04:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Long 2008-10-18 17:54:31 EDT
Installed F8 on new PC. After applying all updates got this:


SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit

Detailed Description:

SELinux denied access requested by nm-system-setti. It is not expected that this
access is required by nm-system-setti and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./PolicyKit,

restorecon -v './PolicyKit'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Context                system_u:object_r:hald_var_lib_t:s0
Target Objects                ./PolicyKit [ dir ]
Source                        nm-system-setti
Source Path                   /usr/sbin/nm-system-settings
Port                          <Unknown>
Host                          vanilla.icecream
Source RPM Packages           NetworkManager-0.7.0-0.11.svn4022.4.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-117.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     vanilla.icecream
Platform                      Linux vanilla.icecream #1 SMP Sat
                              Sep 20 09:32:58 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Sat 18 Oct 2008 01:18:59 PM CDT
Last Seen                     Sat 18 Oct 2008 01:18:59 PM CDT
Local ID                      7a53da62-9a75-419e-b42f-a4a7c63a7b68
Line Numbers                  

Raw Audit Messages            

host=vanilla.icecream type=AVC msg=audit(1224353939.928:16): avc:  denied  { read } for  pid=3039 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=4882503 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir

host=vanilla.icecream type=SYSCALL msg=audit(1224353939.928:16): arch=40000003 syscall=292 success=no exit=-13 a0=6 a1=13f08e a2=306 a3=8431b60 items=0 ppid=3038 pid=3039 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-10-20 09:37:35 EDT
Fixed in selinux-policy-3.0.8-119.fc8
Comment 2 David Duncan 2008-11-06 08:40:32 EST
I seem to be getting this in 8-121 as well.  

[root@mps1530 ~]# rpm -qa | grep selinux-policy
From se troubleshooting browser: 

host=mps1530.rubackedup.com type=AVC msg=audit(1225971828.77:7): avc: denied { read } for pid=2722 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=11108485 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_var_run_t:s0 tclass=dir host=mps1530.rubackedup.com type=SYSCALL msg=audit(1225971828.77:7): arch=40000003 syscall=292 success=yes exit=4 a0=6 a1=68b0a1 a2=306 a3=9dae6d8 items=0 ppid=2721 pid=2722 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) 
ls -Z /var/lib/ shows the following
drwxrwxr-x  polkituser polkituser system_u:object_r:polkit_var_lib_t:s0 PolicyKit
Comment 3 Daniel Walsh 2008-11-06 09:26:03 EST
Could you check selinux-policy-3.0.8-123.fc8
Comment 4 Paul Long 2008-11-06 13:17:22 EST
Sorry, but I no longer have that PC. I can't check anything regarding this bug.
Comment 5 Daniel Walsh 2008-11-06 13:38:30 EST
Ok thanks.  Maybe David can check
Comment 6 David Duncan 2008-11-07 06:14:33 EST
Having a little trouble identifying the repo where 123 is located.  Perhaps someone can help me locate the policy rpm's?
Comment 7 Daniel Walsh 2008-11-07 09:32:01 EST
Should be in updates-testing.
Comment 8 David Duncan 2008-11-11 12:00:12 EST
added selinux-policy-3.0.8-123.fc8 selinux-policy-targeted 3.0.8-123.fc8.  
sealert no longer shows the denial after reboot. 

Note You need to log in before you can comment on or make changes to this bug.