Description of problem: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by nm-dhcp-client.. It is not expected that this access is required by nm-dhcp-client. and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Version-Release number of selected component (if applicable): 0.7.1 How reproducible: unplug eth0 and plug eth0 Steps to Reproduce: 1. 2. 3. Actual results: SELinux warnings Expected results: no warnings Additional info: Source Context: system_u:system_r:dhcpc_t:s0Target Context: unconfined_u:object_r:usr_t:s0Target Objects: libdbus-glib-1.so.2 [ lnk_file ] Source: nm-dhcp-client.Source Path: /usr/libexec/nm-dhcp-client.actionPort: <Unknown> Host: n011 Source RPM Packages: NetworkManager-0.7.1-6.git20090617.fc11 Target RPM Packages: Policy RPM: selinux-policy-3.6.12-62.fc11 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall Host Name: n011 Platform: Linux n011 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686 Alert Count: 2 First Seen: Mon 06 Jul 2009 02:08:29 PM CEST Last Seen: Mon 06 Jul 2009 03:14:35 PM CEST Local ID: f219173d-2833-47dc-a5a5-03811457acf7 Line Numbers: Raw Audit Messages :node=n011 type=AVC msg=audit(1246886075.173:43): avc: denied { read } for pid=3876 comm="nm-dhcp-client." name="libdbus-glib-1.so.2" dev=dm-0 ino=545 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=lnk_file node=n011 type=SYSCALL msg=audit(1246886075.173:43): arch=40000003 syscall=5 success=yes exit=3 a0=b806c091 a1=0 a2=0 a3=b806c091 items=0 ppid=3875 pid=3876 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null)
I forgot these: Steps to Reproduce: 1. Enable SELinux and set mode to permissive 2. unplug eth0 3. plug eth0
Dan, any hints from you on this? -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
It should just be allowed.
Miroslov add files_read_usr_files(dhcpc_t)
Fixed in selinux-policy-3.6.12-66.fc11
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.