Bug 473315 - SELinux is preventing NetworkManager (NetworkManager_t) "getattr" to /dev/ppp (ppp_device_t).
SELinux is preventing NetworkManager (NetworkManager_t) "getattr" to /dev/ppp...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-27 11:54 EST by Andrig Miller
Modified: 2009-11-18 08:04 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:04:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrig Miller 2008-11-27 11:54:00 EST
Description of problem:

SE Linux Alert that is denying the NetworkManager form doing a getattr to /dev/ppp after I plugin my EVDO broadband card and it establishing a connection to the network.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.5.13-18.fc10

How reproducible:

Every time.

Steps to Reproduce:
1. Plugin in EVDO broadband card.
2. NetworkManager automatically connects.
3. SEAlert pops.
  
Actual results:


Expected results:

There shouldn't be a SEAlert.

Additional info:


Summary:

SELinux is preventing NetworkManager (NetworkManager_t) "getattr" to /dev/ppp
(ppp_device_t).

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /dev/ppp,

restorecon -v '/dev/ppp'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Here is the alert:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:ppp_device_t:s0
Target Objects                /dev/ppp [ chr_file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          myworklaptop.miller.org
Source RPM Packages           NetworkManager-0.7.0-0.12.svn4326.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     myworklaptop.miller.org
Platform                      Linux myworklaptop.miller.org
                              2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18
                              11:58:53 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 27 Nov 2008 09:29:07 AM MST
Last Seen                     Thu 27 Nov 2008 09:29:07 AM MST
Local ID                      371935fd-f10a-48ef-aaf9-b1427a46ef25
Line Numbers                  

Raw Audit Messages            

node=myworklaptop.miller.org type=AVC msg=audit(1227803347.415:13): avc:  denied  { getattr } for  pid=2365 comm="NetworkManager" path="/dev/ppp" dev=tmpfs ino=2290 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file

node=myworklaptop.miller.org type=SYSCALL msg=audit(1227803347.415:13): arch=c000003e syscall=4 success=no exit=-13 a0=45fe89 a1=7fff59b452b0 a2=7fff59b452b0 a3=1 items=0 ppid=1 pid=2365 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-11-27 17:39:51 EST
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-27.fc10
Comment 2 Bug Zapper 2009-11-18 04:00:34 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Daniel Walsh 2009-11-18 08:04:27 EST
Closing as closed in the current release.

Note You need to log in before you can comment on or make changes to this bug.