Bug 469528 - SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (polkit_var_lib_t).
SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKi...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2008-11-01 18:22 EDT by morgan read
Modified: 2009-01-09 02:54 EST (History)
7 users (show)

See Also:
Fixed In Version: F8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-09 02:54:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
setroubleshoot output (2.92 KB, text/plain)
2008-11-01 18:22 EDT, morgan read
no flags Details
setroubleshoot output (3.03 KB, text/plain)
2008-11-27 18:00 EST, morgan read
no flags Details

  None (edit)
Description morgan read 2008-11-01 18:22:20 EDT
Created attachment 322190 [details]
setroubleshoot output

Description of problem:
SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (polkit_var_lib_t).

Version-Release number of selected component (if applicable):
[morgan@morgansmachine ~]$ rpm -q selinux-policy

How reproducible:
Seems to occur at system start

Steps to Reproduce:
1. I presume start system
Actual results:
Selinux alert

Expected results:
No selinux alert

Additional info:
Comment 1 morgan read 2008-11-01 18:24:15 EDT
Perhaps related to:
Comment 2 Daniel Walsh 2008-11-03 14:33:05 EST
Fixed in selinux-policy-3.0.8-123.fc8
Comment 3 Rogers W. Claggett 2008-11-12 08:15:55 EST
Rats.  Got the same thing using selinux-policy-3.0.8-123.fc8

SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (polkit_var_lib_t). 

Source Context:  system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:polkit_var_lib_t:s0
Target Objects:  ./PolicyKit [ dir ]
Source:  nm-system-setti
Source Path:  /usr/sbin/nm-system-settings
Port:  <Unknown>Host:  localhost.localdomain
Source RPM Packages:  NetworkManager-0.7.0-0.11.svn4022.4.fc8
Target RPM Packages:  
Policy RPM:  selinux-policy-3.0.8-123.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall_file
Host Name:  localhost.localdomain

Platform:  Linux localhost.localdomain #1 SMP Fri Oct 17 15:59:36 EDT 2008 i686 i686
Alert Count:  20
First Seen:  Sat 01 Nov 2008 06:04:08 AM EDT
Last Seen:  Wed 12 Nov 2008 07:18:40 AM EST
Local ID:  aa8eec59-f05f-4c00-bb0a-9537522de6d5
Line Numbers:  
Raw Audit Messages :

host=localhost.localdomain type=AVC msg=audit(1226492320.946:5): avc: denied { read } for pid=2838 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=1704057 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1226492320.946:5): arch=40000003 syscall=292 success=no exit=-13 a0=6 a1=d1a08e a2=306 a3=8f266d8 items=0 ppid=2837 pid=2838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
Comment 4 Daniel Walsh 2008-11-13 18:37:41 EST
Fixed in selinux-policy-3.0.8-127.fc8
Comment 5 Alessandro Volpi 2008-11-14 18:55:41 EST
I do not know where I can find the selinux-policy-3.0.8-127.fc8 

yum tells me that selinux-policy-3.0.8-123.fc8 is the latest package available.

The funny thing is that I have two indentical machines (Dell Precision 370).
One is constantly updated. The other one has not been updated for at least 3 months. To day I have updated it successfully without any error or warning.

The constantly updated machine is stubbornly finding the bug every time is is booted. The second machine is not affected by the bug.

I guess that the bug has been introduced during one of the past updating operation s, causing a permanent "damage" in the labeling and that the second machine was not subjected to the bug, since it has been updated to day, with a correct version of selinux-policy ...
Comment 6 Alessandro Volpi 2008-11-24 16:42:33 EST
Things are now getting worse.

The second workstation is now also affected by the bug ... I have started it today and i got the usual warning :

SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit

I cannot understand how could it work correctly after the reboot following the yum update !
Comment 7 Daniel Walsh 2008-11-25 08:41:43 EST
selinux-policy-3.0.8-127.fc8 has been marked as stable although not pushed.  You can get it by executing

yum update selinux-policy-targeted --enablerepo=updates-testing
Comment 8 Alessandro Volpi 2008-11-25 16:22:16 EST
I have tried once again to find selinux-policy-3.0.8-127.fc8 , as suggested
by Daniel Walsh. The trial has not been successful, although the command has been issued as root : 

yum update selinux-policy-targeted --enablerepo=updates-testing
Setting up Update Process
No Packages marked for Update

I have also tried the following command :

yum upgrade selinux-policy-targeted --enablerepo=updates-testing
updates-newkey                                           | 2.3 kB     00:00
fedora                                                   | 2.1 kB     00:00
updates                                                  | 2.6 kB     00:00
Setting up Upgrade Process
No Packages marked for Update

I am surely missing something. It seems that my system refuses to consider the update-testing packages.

I finally tried with the -v option. The result was:

yum list selinux-policy-targeted -v --enablerepo=updates-testing
Config time: 0.160
repo time: 0.001
Yum Version: 3.2.19
COMMAND: yum list selinux-policy-targeted -v --enablerepo=updates-testing
Installroot: /
Ext Commands:

Reading Local RPMDB
rpmdb time: 0.000
Setting up Package Sacks
pkgsack time: 0.006
Matching packages for package list to user args
Installed Packages
selinux-policy-targeted.noarch           3.0.8-123.fc8          installed
Comment 9 Bug Zapper 2008-11-26 06:16:38 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 10 Jon Stanley 2008-11-26 12:37:59 EST
As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report.

If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against.

Thanks for the report!
Comment 11 Milos Malik 2008-11-27 11:15:42 EST
The AVC still appears:

# cat /etc/fedora-release 
Fedora release 8 (Werewolf)
# rpm -qa | grep -i selinux-policy
# grep selinux-policy /var/log/yum.log | tail -n 3
Nov 20 07:38:11 Updated: selinux-policy-3.0.8-127.fc8.noarch
Nov 20 07:38:28 Updated: selinux-policy-targeted-3.0.8-127.fc8.noarch
Nov 20 07:38:42 Updated: selinux-policy-devel-3.0.8-127.fc8.noarch
# ausearch -m AVC -ts today
time->Thu Nov 27 08:40:38 2008
type=SYSCALL msg=audit(1227771638.930:32): arch=40000003 syscall=292 success=no exit=-13 a0=6 a1=89808e a2=306 a3=9cf6db0 items=0 ppid=3227 pid=3228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1227771638.930:32): avc:  denied  { read } for  pid=3228 comm="nm-system-setti" name="PolicyKit" dev=dm-0 ino=2424953 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
Comment 12 morgan read 2008-11-27 18:00:40 EST
Created attachment 324925 [details]
setroubleshoot output

my 2c
Comment 13 Daniel Walsh 2008-12-01 17:01:53 EST
Could you execute the following.
# sesearch --allow -s NetworkManager_t -t polkit_var_lib_t
WARNING: This policy contained disabled aliases; they have been removed.
Found 3 semantic av rules:
   allow NetworkManager_t polkit_var_lib_t : file { ioctl read getattr lock } ; 
   allow NetworkManager_t polkit_var_lib_t : dir { getattr search } ; 
   allow NetworkManager_t @ttr0098 : filesystem getattr ; 

The output above is from F10, but it should be similar in F8
Comment 14 morgan read 2008-12-06 23:21:08 EST
# sesearch --allow -s NetworkManager_t -t polkit_var_lib_t
Default policy search failed: Bad address

Hmm, that doesn't look quite the same as yours...  (This is from the account that's causing the problems.)
Comment 15 Daniel Walsh 2008-12-09 14:35:36 EST
Try selinux-policy-3.0.8-128.fc8  if this does not fix it, add custom policy or upgrade to F9 or F10 where this is fixed.
Comment 16 Bug Zapper 2009-01-09 02:54:29 EST
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.