Bug 471734 - targeted policy prevents system settings when using NetworkManager with keyfile
Summary: targeted policy prevents system settings when using NetworkManager with keyfile
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-15 11:10 UTC by Martin Ebourne
Modified: 2009-04-14 21:16 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-04-14 21:16:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Martin Ebourne 2008-11-15 11:10:06 UTC
Description of problem:
Cannot setup a system wireless connection with nm-applet when using keyfile plugin.

Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.11.svn4229.fc10.x86_64
NetworkManager-gnome-0.7.0-0.11.svn4229.fc10.x86_64
selinux-policy-targeted-3.5.13-18.fc10.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Configure NetworkManager to use keyfile plugin:
# cat /etc/NetworkManager/nm-system-settings.conf
[main]
plugins=keyfile

2. Select "Edit connections" from nm-applet menu.

3. Create or edit a connection

4. Set "Available to all users" at the bottom

5. Click Apply.
  
Actual results:
Dialogue closes but settings are lost.

Expected results:
Settings should be saved under /etc/NetworkManager/system-connections and be available to all users.

Additional info:
This works in permissive. The following denials are recorded:

type=USER_AVC msg=audit(1226746127.641:28): user pid=2208 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=GetSessionForUnixProcess dest=org.freedesktop.ConsoleKit spid=2419 tpid=2246 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

type=USER_AVC msg=audit(1226746127.644:29): user pid=2208 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.8 spid=2246 tpid=2419 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'

Comment 1 Daniel Walsh 2008-11-17 20:45:53 UTC
Fixed in selinux-policy-3.5.13-21.fc10

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Comment 2 Bug Zapper 2008-11-26 05:26:40 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.