Created attachment 322190 [details] setroubleshoot output Description of problem: SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (polkit_var_lib_t). Version-Release number of selected component (if applicable): [morgan@morgansmachine ~]$ rpm -q selinux-policy selinux-policy-3.0.8-121.fc8 How reproducible: Seems to occur at system start Steps to Reproduce: 1. I presume start system 2. 3. Actual results: Selinux alert Expected results: No selinux alert Additional info:
Perhaps related to: https://bugzilla.redhat.com/show_bug.cgi?id=469529
Fixed in selinux-policy-3.0.8-123.fc8
Rats. Got the same thing using selinux-policy-3.0.8-123.fc8 SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (polkit_var_lib_t). Source Context: system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Context: system_u:object_r:polkit_var_lib_t:s0 Target Objects: ./PolicyKit [ dir ] Source: nm-system-setti Source Path: /usr/sbin/nm-system-settings Port: <Unknown>Host: localhost.localdomain Source RPM Packages: NetworkManager-0.7.0-0.11.svn4022.4.fc8 Target RPM Packages: Policy RPM: selinux-policy-3.0.8-123.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall_file Host Name: localhost.localdomain Platform: Linux localhost.localdomain 2.6.26.6-49.fc8 #1 SMP Fri Oct 17 15:59:36 EDT 2008 i686 i686 Alert Count: 20 First Seen: Sat 01 Nov 2008 06:04:08 AM EDT Last Seen: Wed 12 Nov 2008 07:18:40 AM EST Local ID: aa8eec59-f05f-4c00-bb0a-9537522de6d5 Line Numbers: Raw Audit Messages : host=localhost.localdomain type=AVC msg=audit(1226492320.946:5): avc: denied { read } for pid=2838 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=1704057 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1226492320.946:5): arch=40000003 syscall=292 success=no exit=-13 a0=6 a1=d1a08e a2=306 a3=8f266d8 items=0 ppid=2837 pid=2838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
Fixed in selinux-policy-3.0.8-127.fc8
I do not know where I can find the selinux-policy-3.0.8-127.fc8 yum tells me that selinux-policy-3.0.8-123.fc8 is the latest package available. The funny thing is that I have two indentical machines (Dell Precision 370). One is constantly updated. The other one has not been updated for at least 3 months. To day I have updated it successfully without any error or warning. The constantly updated machine is stubbornly finding the bug every time is is booted. The second machine is not affected by the bug. I guess that the bug has been introduced during one of the past updating operation s, causing a permanent "damage" in the labeling and that the second machine was not subjected to the bug, since it has been updated to day, with a correct version of selinux-policy ...
Things are now getting worse. The second workstation is now also affected by the bug ... I have started it today and i got the usual warning : SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (polkit_var_lib_t) I cannot understand how could it work correctly after the reboot following the yum update !
selinux-policy-3.0.8-127.fc8 has been marked as stable although not pushed. You can get it by executing yum update selinux-policy-targeted --enablerepo=updates-testing
I have tried once again to find selinux-policy-3.0.8-127.fc8 , as suggested by Daniel Walsh. The trial has not been successful, although the command has been issued as root : yum update selinux-policy-targeted --enablerepo=updates-testing Setting up Update Process No Packages marked for Update I have also tried the following command : yum upgrade selinux-policy-targeted --enablerepo=updates-testing updates-newkey | 2.3 kB 00:00 fedora | 2.1 kB 00:00 updates | 2.6 kB 00:00 Setting up Upgrade Process No Packages marked for Update I am surely missing something. It seems that my system refuses to consider the update-testing packages. I finally tried with the -v option. The result was: yum list selinux-policy-targeted -v --enablerepo=updates-testing Config time: 0.160 repo time: 0.001 Yum Version: 3.2.19 COMMAND: yum list selinux-policy-targeted -v --enablerepo=updates-testing Installroot: / Ext Commands: selinux-policy-targeted Reading Local RPMDB rpmdb time: 0.000 Setting up Package Sacks pkgsack time: 0.006 Matching packages for package list to user args Installed Packages selinux-policy-targeted.noarch 3.0.8-123.fc8 installed
This message is a reminder that Fedora 8 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 8. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '8'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 8's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 8 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report. If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against. Thanks for the report!
The AVC still appears: # cat /etc/fedora-release Fedora release 8 (Werewolf) # rpm -qa | grep -i selinux-policy selinux-policy-targeted-3.0.8-127.fc8 selinux-policy-devel-3.0.8-127.fc8 selinux-policy-3.0.8-127.fc8 # grep selinux-policy /var/log/yum.log | tail -n 3 Nov 20 07:38:11 Updated: selinux-policy-3.0.8-127.fc8.noarch Nov 20 07:38:28 Updated: selinux-policy-targeted-3.0.8-127.fc8.noarch Nov 20 07:38:42 Updated: selinux-policy-devel-3.0.8-127.fc8.noarch # ausearch -m AVC -ts today ---- time->Thu Nov 27 08:40:38 2008 type=SYSCALL msg=audit(1227771638.930:32): arch=40000003 syscall=292 success=no exit=-13 a0=6 a1=89808e a2=306 a3=9cf6db0 items=0 ppid=3227 pid=3228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1227771638.930:32): avc: denied { read } for pid=3228 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=2424953 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
Created attachment 324925 [details] setroubleshoot output my 2c
Could you execute the following. # sesearch --allow -s NetworkManager_t -t polkit_var_lib_t WARNING: This policy contained disabled aliases; they have been removed. Found 3 semantic av rules: allow NetworkManager_t polkit_var_lib_t : file { ioctl read getattr lock } ; allow NetworkManager_t polkit_var_lib_t : dir { getattr search } ; allow NetworkManager_t @ttr0098 : filesystem getattr ; The output above is from F10, but it should be similar in F8
# sesearch --allow -s NetworkManager_t -t polkit_var_lib_t Default policy search failed: Bad address Hmm, that doesn't look quite the same as yours... (This is from the account that's causing the problems.)
Try selinux-policy-3.0.8-128.fc8 if this does not fix it, add custom policy or upgrade to F9 or F10 where this is fixed.
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.