Bug 491285 - SELinux is preventing the NetworkManager (NetworkManager_t) from executing ./nscd
SELinux is preventing the NetworkManager (NetworkManager_t) from executing ./...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 491287 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-20 04:36 EDT by Sandro Mathys
Modified: 2009-04-06 07:08 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-06 07:08:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sandro Mathys 2009-03-20 04:36:38 EDT
Description of problem:
SELinux has denied the NetworkManager from executing ./nscd. If NetworkManager is supposed to be able to execute ./nscd, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this NetworkManager is not supposed to execute ./nscd, this could signal a intrusion attempt. 

Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-48.fc10.noarch

How reproducible:
Always

Steps to Reproduce:
1. Use NetworkManager
  
Actual results:
Now and then NM seems to try to do ./nscd and isn't allowed to -> selinux alert.

Expected results:
No selinux alert.

Additional info:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                ./nscd [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          nebuchadnezzar.ethz.ch
Source RPM Packages           NetworkManager-0.7.0.99-3.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-48.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     nebuchadnezzar.ethz.ch
Platform                      Linux nebuchadnezzar.ethz.ch
                              2.6.27.19-170.2.35.fc10.i686.PAE #1 SMP Mon Feb 23
                              13:09:26 EST 2009 i686 i686
Alert Count                   81
First Seen                    Wed 11 Mar 2009 03:32:30 PM CET
Last Seen                     Fri 20 Mar 2009 09:31:44 AM CET
Local ID                      e89ede77-a4fb-44ef-b69d-21d0b0681bf8
Line Numbers

Raw Audit Messages

node=nebuchadnezzar.ethz.ch type=AVC msg=audit(1237537904.149:2139): avc:  denied  { execute } for  pid=9282 comm="NetworkManager" name="nscd" dev=dm-1ino=123412 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=nebuchadnezzar.ethz.ch type=SYSCALL msg=audit(1237537904.149:2139): arch=40000003 syscall=11 success=no exit=-13 a0=8a51478 a1=8a5f590 a2=bfb74940a3=8a51478 items=0 ppid=2600 pid=9282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Comment 1 Miroslav Grepl 2009-03-20 09:10:02 EDT
It is strange why is nscd labeled as etc_t.

execute:
# restorecon -v /usr/sbin/nscd
Comment 2 Miroslav Grepl 2009-03-20 09:46:56 EDT
*** Bug 491287 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2009-04-06 07:08:27 EDT
In case that your problem isn't solved by above steps please reopen bug.

Note You need to log in before you can comment on or make changes to this bug.