Bug 473687 - NetworkManager tries to access dhclient but is stopped by SELinux policy
NetworkManager tries to access dhclient but is stopped by SELinux policy
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 473787 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-29 19:39 EST by Andrew Stitcher
Modified: 2009-05-05 12:45 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-05 12:45:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Stitcher 2008-11-29 19:39:34 EST
Description of problem:

Here is the setroubleshoot info:

Summary
SELinux is preventing NetworkManager (NetworkManager_t) "search" to ./dhclient (dhcpc_state_t). 

Detailed Description
SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dhclient, restorecon -v './dhclient' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:NetworkManager_t:s0
Target Context:  system_u:object_r:dhcpc_state_t:s0
Target Objects:  ./dhclient [ dir ]
Source:  NetworkManager
Source Path:  /usr/sbin/NetworkManager
Port:  <Unknown>
Host:  snowdrop
Source RPM Packages:  NetworkManager-0.7.0-0.12.svn4326.fc10
Target RPM Packages:
Policy RPM:  selinux-policy-3.5.13-18.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall_file
Host Name:  snowdrop
Platform:  Linux snowdrop 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Alert Count:  4
First Seen:  Wed 26 Nov 2008 22:17:07 EST
Last Seen:  Sat 29 Nov 2008 19:13:29 EST
Local ID:  5d4074c6-16ed-470f-95e5-ad0c7eaaf080
Line Numbers:  

Raw Audit Messages :node=snowdrop type=AVC msg=audit(1228004009.204:2407): avc: denied { search } for pid=2117 comm="NetworkManager" name="dhclient" dev=dm-0 ino=491669 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir node=snowdrop type=SYSCALL msg=audit(1228004009.204:2407): arch=40000003 syscall=10 success=no exit=-13 a0=889f320 a1=21 a2=8dbff4 a3=889f320 items=0 ppid=1 pid=2117 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Comment 1 Max Kanat-Alexander 2008-12-01 01:01:18 EST
*** Bug 473787 has been marked as a duplicate of this bug. ***
Comment 2 Karsten Wade 2008-12-01 09:36:06 EST
There are a few bug reports that are similar or duplicates.

Bug 473784  AVC denials when enabling a PPP connection
Bug 473449 -  selinux denies NetworkManager access to /dev/ppp

The first one seems a duplicate bug.  The second may be related, I'm unsure.  I also have received the same dhclient denial plus am having the same problems with /dev/ppp.

type=AVC msg=audit(1228087166.757:61): avc:  denied  { search } for  pid=2360 comm="NetworkManager" name="dhclient" dev=dm-3 ino=24785 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_s
tate_t:s0 tclass=dir
type=SYSCALL msg=audit(1228087166.757:61): arch=40000003 syscall=10 success=no exit=-13 a0=8cc7d78 a1=21 a2=489ff4 a3=8cc7d78 items=0 ppid=1 pid=2360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fs
gid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:
NetworkManager_t:s0 key=(null)
Comment 3 Miroslav Grepl 2008-12-01 10:22:31 EST
The problem with NetworkManager and dhcp_state_t files is fixed in selinux-policy-3.5.13-26.fc10.
Comment 4 Karsten Wade 2008-12-01 10:43:12 EST
Thanks.  I updated (using 'yum --enablerepo=updates-testing update selinux-policy') to the package in testing[1].  Because my problem here included a full system lockup, I'll be saving my testing for a bit later today. :)

[1] http://koji.fedoraproject.org/koji/buildinfo?buildID=71108
Comment 5 Ryan Rix 2008-12-01 19:23:01 EST
(In reply to comment #3)
> The problem with NetworkManager and dhcp_state_t files is fixed in
> selinux-policy-3.5.13-26.fc10.

What would be the preferred method of upgrading to this packages without changing repositories to testing? I am running the stable version of Fedora10 and would like it to stay in the stable repository
Comment 6 Karsten Wade 2008-12-01 23:14:37 EST
(In reply to comment #5)
> 
> What would be the preferred method of upgrading to this packages without
> changing repositories to testing? I am running the stable version of Fedora10
> and would like it to stay in the stable repository

The directions I gave in comment #4 are the best way to pull in a package from testing into an otherwise stable-using system.  However, it is untested beyond those of us who have installed it for testing.  For example, I'm still testing the policy package and am not ready to recommend it without reservation. :)

Otherwise, you need to wait until enough people test the package and give it a positive vote in koji -- that is how it moves from the testing to the updates repository.
Comment 7 Daniel Walsh 2008-12-02 11:06:51 EST
It has been released from testing.  But Karsten is correct.

yum --enablerepo=updates-testing update
selinux-policy\*

Is the way to install just those packages from testing.
Comment 8 Ryan Rix 2008-12-02 20:06:38 EST
Thank you, I wasn't entirely sure if that would pull the entire testing repo.
Comment 9 Daniel Walsh 2008-12-03 08:46:21 EST
Well it will only pull packages required by the package that you are upgrading.
I would watch the list of packages it wants to update though.
Comment 10 Karsten Wade 2009-05-05 11:59:10 EDT
Hmm, I think this is long fixed?  Shall we close it?

Note You need to log in before you can comment on or make changes to this bug.