Bug 491285 - SELinux is preventing the NetworkManager (NetworkManager_t) from executing ./nscd
Summary: SELinux is preventing the NetworkManager (NetworkManager_t) from executing ./...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 491287 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-20 08:36 UTC by Sandro Mathys
Modified: 2009-04-06 11:08 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-04-06 11:08:27 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Sandro Mathys 2009-03-20 08:36:38 UTC
Description of problem:
SELinux has denied the NetworkManager from executing ./nscd. If NetworkManager is supposed to be able to execute ./nscd, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this NetworkManager is not supposed to execute ./nscd, this could signal a intrusion attempt. 

Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-48.fc10.noarch

How reproducible:
Always

Steps to Reproduce:
1. Use NetworkManager
  
Actual results:
Now and then NM seems to try to do ./nscd and isn't allowed to -> selinux alert.

Expected results:
No selinux alert.

Additional info:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                ./nscd [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          nebuchadnezzar.ethz.ch
Source RPM Packages           NetworkManager-0.7.0.99-3.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-48.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     nebuchadnezzar.ethz.ch
Platform                      Linux nebuchadnezzar.ethz.ch
                              2.6.27.19-170.2.35.fc10.i686.PAE #1 SMP Mon Feb 23
                              13:09:26 EST 2009 i686 i686
Alert Count                   81
First Seen                    Wed 11 Mar 2009 03:32:30 PM CET
Last Seen                     Fri 20 Mar 2009 09:31:44 AM CET
Local ID                      e89ede77-a4fb-44ef-b69d-21d0b0681bf8
Line Numbers

Raw Audit Messages

node=nebuchadnezzar.ethz.ch type=AVC msg=audit(1237537904.149:2139): avc:  denied  { execute } for  pid=9282 comm="NetworkManager" name="nscd" dev=dm-1ino=123412 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=nebuchadnezzar.ethz.ch type=SYSCALL msg=audit(1237537904.149:2139): arch=40000003 syscall=11 success=no exit=-13 a0=8a51478 a1=8a5f590 a2=bfb74940a3=8a51478 items=0 ppid=2600 pid=9282 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Comment 1 Miroslav Grepl 2009-03-20 13:10:02 UTC
It is strange why is nscd labeled as etc_t.

execute:
# restorecon -v /usr/sbin/nscd

Comment 2 Miroslav Grepl 2009-03-20 13:46:56 UTC
*** Bug 491287 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2009-04-06 11:08:27 UTC
In case that your problem isn't solved by above steps please reopen bug.


Note You need to log in before you can comment on or make changes to this bug.