Bug 469519 - NetworkManager is being denied 'read execute execute_no_trans' for nscd_exec_t
NetworkManager is being denied 'read execute execute_no_trans' for nscd_exec_t
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 469289 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-01 16:53 EDT by John Freed
Modified: 2008-11-26 12:37 EST (History)
8 users (show)

See Also:
Fixed In Version: F8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-26 12:37:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux error log (2.72 KB, text/plain)
2008-11-16 11:55 EST, John Freed
no flags Details

  None (edit)
Description John Freed 2008-11-01 16:53:57 EDT
I sent this to the developers' mailing list but it bounced, so I'm filing it here as well.

The latest selinux-policy-3.0.8-121.fc8 appears to have reintroduced this bug:

351671 

The following local module seems to fix this ...


module NetworkManager 1.0.4;

require {
        type NetworkManager_t;
        type nscd_exec_t;
        class file { read execute execute_no_trans };
}

#============= NetworkManager_t ==============
allow NetworkManager_t nscd_exec_t:file { read execute execute_no_trans };





+++ This bug was initially created as a clone of Bug #351671 +++

Created an attachment (id=236901)
audit.log snippet 


--- Additional comment from wwoods@redhat.com on 2007-10-24 22:37:26 EDT ---

NetworkManager-0.7.0-0.3.svn3016.fc8 wants to execute ncsd, as per the changelog
message:

- Tell nscd to restart if needed, don't silently kill it

but SELinux policy denies it. Here's the audit2allow output I gathered:

allow NetworkManager_t nscd_exec_t:file { read execute execute_no_trans };

audit messages will be attached.

--- Additional comment from wwoods@redhat.com on 2007-10-25 00:31:29 EDT ---

Appears to be fixed in selinux-policy-targeted-3.0.8-32.fc8 - can you confirm
that the change was made here? There's no mention of it in the changelog.

--- Additional comment from dwalsh@redhat.com on 2007-10-25 09:34:15 EDT ---

Fixed in selinux-policy-targeted-3.0.8-32.fc8
Comment 1 Dan Williams 2008-11-02 17:44:46 EST
-> selinux-policy
Comment 2 Dan Williams 2008-11-02 17:49:37 EST
*** Bug 469289 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2008-11-03 14:30:53 EST
Could you try selinux-policy-3.0.8-123.fc8
Comment 4 John Freed 2008-11-16 11:55:09 EST
Created attachment 323724 [details]
SELinux error log
Comment 5 John Freed 2008-11-16 11:57:01 EST
still generating errors. At your suggestion I tried this:

# sesearch --allow -s NetworkManager_t -t nscd_exec_t /etc/selinux/targeted/policy/policy.21
Found 2 semantic av rules:
   allow @ttr2432 @ttr0094 : dir { getattr search }; 
   allow NetworkManager_t @ttr0094 : filesystem getattr ;
Comment 6 John Freed 2008-11-16 12:38:40 EST
Don't know if this is related, but I note I have also begun receiving these messages about /var/lib/PolicyKit (I recall I used to see those as well):

Summary:

SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit
(polkit_var_lib_t).

Raw Audit Messages            

host=localhost type=AVC msg=audit(1226839322.897:21): avc:  denied  { read } for  pid=2816 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=1806130 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir

host=localhost type=SYSCALL msg=audit(1226839322.897:21): arch=40000003 syscall=292 success=yes exit=3 a0=6 a1=16b08e a2=306 a3=837d6d8 items=1 ppid=2815 pid=2816 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)

host=localhost type=CWD msg=audit(1226839322.897:21): cwd="/"

host=localhost type=PATH msg=audit(1226839322.897:21): item=0 name="/var/lib/PolicyKit" inode=1806130 dev=fd:00 mode=040775 ouid=87 ogid=87 rdev=00:00 obj=system_u:object_r:polkit_var_lib_t:s0
Comment 7 Daniel Walsh 2008-11-17 15:15:49 EST
Could you try selinux-policy-3.0.8-127.fc8
Comment 8 Bug Zapper 2008-11-26 06:16:32 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 9 Jon Stanley 2008-11-26 12:37:58 EST
As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report.

If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against.

Thanks for the report!

Note You need to log in before you can comment on or make changes to this bug.