Bug 509825 - SELinux is preventing nm-dhcp-client. (dhcpc_t) "read" usr_t.
Summary: SELinux is preventing nm-dhcp-client. (dhcpc_t) "read" usr_t.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: i586
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 517000
TreeView+ depends on / blocked
 
Reported: 2009-07-06 13:27 UTC by Wim Van Hoydonck
Modified: 2010-01-20 09:28 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-01-20 09:28:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Wim Van Hoydonck 2009-07-06 13:27:13 UTC
Description of problem:

[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux denied access requested by nm-dhcp-client.. It is not expected that this access is required by nm-dhcp-client. and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 


Version-Release number of selected component (if applicable):
0.7.1

How reproducible:
unplug eth0 and plug eth0

Steps to Reproduce:
1.
2.
3.
  
Actual results:
SELinux warnings

Expected results:
no warnings

Additional info:

Source Context:  system_u:system_r:dhcpc_t:s0Target Context:  unconfined_u:object_r:usr_t:s0Target 
Objects:  libdbus-glib-1.so.2 [ lnk_file ]
Source:  nm-dhcp-client.Source 
Path:  /usr/libexec/nm-dhcp-client.actionPort:  <Unknown>
Host:  n011
Source RPM Packages:  NetworkManager-0.7.1-6.git20090617.fc11
Target RPM Packages:  Policy RPM:  selinux-policy-3.6.12-62.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  catchall
Host Name:  n011
Platform:  Linux n011 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686
Alert Count:  2
First Seen:  Mon 06 Jul 2009 02:08:29 PM CEST
Last Seen:  Mon 06 Jul 2009 03:14:35 PM CEST
Local ID:  f219173d-2833-47dc-a5a5-03811457acf7
Line Numbers:  
Raw Audit Messages :node=n011 type=AVC msg=audit(1246886075.173:43): avc: denied { read } for pid=3876 comm="nm-dhcp-client." name="libdbus-glib-1.so.2" dev=dm-0 ino=545 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file 

node=n011 type=SYSCALL msg=audit(1246886075.173:43): arch=40000003 syscall=5 success=yes exit=3 a0=b806c091 a1=0 a2=0 a3=b806c091 items=0 ppid=3875 pid=3876 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null)

Comment 1 Wim Van Hoydonck 2009-07-06 13:30:48 UTC
I forgot these:

Steps to Reproduce:
1. Enable SELinux and set mode to permissive
2. unplug eth0
3. plug eth0

Comment 2 Niels Haase 2009-07-08 19:30:21 UTC
Dan, any hints from you on this?

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 3 Daniel Walsh 2009-07-09 12:23:05 UTC
It should just be allowed.

Comment 4 Daniel Walsh 2009-07-09 13:20:02 UTC
Miroslov add files_read_usr_files(dhcpc_t)

Comment 5 Miroslav Grepl 2009-07-15 11:18:17 UTC
Fixed in selinux-policy-3.6.12-66.fc11

Comment 7 Miroslav Grepl 2010-01-20 09:28:12 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if
the bug is not actually fixed.


Note You need to log in before you can comment on or make changes to this bug.