471734 – targeted policy prevents system settings when using NetworkManager with keyfile

Bug 471734 - targeted policy prevents system settings when using NetworkManager with keyfile

Summary: targeted policy prevents system settings when using NetworkManager with keyfile

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-11-15 11:10 UTC by Martin Ebourne
Modified:	2009-04-14 21:16 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-14 21:16:42 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Martin Ebourne 2008-11-15 11:10:06 UTC

Description of problem:
Cannot setup a system wireless connection with nm-applet when using keyfile plugin.

Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.11.svn4229.fc10.x86_64
NetworkManager-gnome-0.7.0-0.11.svn4229.fc10.x86_64
selinux-policy-targeted-3.5.13-18.fc10.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Configure NetworkManager to use keyfile plugin:
# cat /etc/NetworkManager/nm-system-settings.conf
[main]
plugins=keyfile

2. Select "Edit connections" from nm-applet menu.

3. Create or edit a connection

4. Set "Available to all users" at the bottom

5. Click Apply.
  
Actual results:
Dialogue closes but settings are lost.

Expected results:
Settings should be saved under /etc/NetworkManager/system-connections and be available to all users.

Additional info:
This works in permissive. The following denials are recorded:

type=USER_AVC msg=audit(1226746127.641:28): user pid=2208 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=GetSessionForUnixProcess dest=org.freedesktop.ConsoleKit spid=2419 tpid=2246 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

type=USER_AVC msg=audit(1226746127.644:29): user pid=2208 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.8 spid=2246 tpid=2419 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

Comment 1 Daniel Walsh 2008-11-17 20:45:53 UTC

Fixed in selinux-policy-3.5.13-21.fc10

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Comment 2 Bug Zapper 2008-11-26 05:26:40 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.