First Last Prev Next    This bug is not in your last search results.
Bug 509825 - SELinux is preventing nm-dhcp-client. (dhcpc_t) "read" usr_t.
SELinux is preventing nm-dhcp-client. (dhcpc_t) "read" usr_t.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
i586 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 517000
  Show dependency treegraph
 
Reported: 2009-07-06 09:27 EDT by Wim Van Hoydonck
Modified: 2010-01-20 04:28 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-20 04:28:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Wim Van Hoydonck 2009-07-06 09:27:13 EDT 
Description of problem:

[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux denied access requested by nm-dhcp-client.. It is not expected that this access is required by nm-dhcp-client. and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 


Version-Release number of selected component (if applicable):
0.7.1

How reproducible:
unplug eth0 and plug eth0

Steps to Reproduce:
1.
2.
3.
  
Actual results:
SELinux warnings

Expected results:
no warnings

Additional info:

Source Context:  system_u:system_r:dhcpc_t:s0Target Context:  unconfined_u:object_r:usr_t:s0Target 
Objects:  libdbus-glib-1.so.2 [ lnk_file ]
Source:  nm-dhcp-client.Source 
Path:  /usr/libexec/nm-dhcp-client.actionPort:  <Unknown>
Host:  n011
Source RPM Packages:  NetworkManager-0.7.1-6.git20090617.fc11
Target RPM Packages:  Policy RPM:  selinux-policy-3.6.12-62.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  catchall
Host Name:  n011
Platform:  Linux n011 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686
Alert Count:  2
First Seen:  Mon 06 Jul 2009 02:08:29 PM CEST
Last Seen:  Mon 06 Jul 2009 03:14:35 PM CEST
Local ID:  f219173d-2833-47dc-a5a5-03811457acf7
Line Numbers:  
Raw Audit Messages :node=n011 type=AVC msg=audit(1246886075.173:43): avc: denied { read } for pid=3876 comm="nm-dhcp-client." name="libdbus-glib-1.so.2" dev=dm-0 ino=545 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file 

node=n011 type=SYSCALL msg=audit(1246886075.173:43): arch=40000003 syscall=5 success=yes exit=3 a0=b806c091 a1=0 a2=0 a3=b806c091 items=0 ppid=3875 pid=3876 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null)
Comment 1 Wim Van Hoydonck 2009-07-06 09:30:48 EDT 
I forgot these:

Steps to Reproduce:
1. Enable SELinux and set mode to permissive
2. unplug eth0
3. plug eth0
Comment 2 Niels Haase 2009-07-08 15:30:21 EDT 
Dan, any hints from you on this?

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 3 Daniel Walsh 2009-07-09 08:23:05 EDT 
It should just be allowed.
Comment 4 Daniel Walsh 2009-07-09 09:20:02 EDT 
Miroslov add files_read_usr_files(dhcpc_t)
Comment 5 Miroslav Grepl 2009-07-15 07:18:17 EDT 
Fixed in selinux-policy-3.6.12-66.fc11
Comment 7 Miroslav Grepl 2010-01-20 04:28:12 EST 
Closing all bugs that have been in modified for over a month.  Please reopen if
the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.