Bug 510652 - NetworkManager blocked
Summary: NetworkManager blocked
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-10 04:08 UTC by David Highley
Modified: 2009-07-10 19:22 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-07-10 19:22:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description David Highley 2009-07-10 04:08:34 UTC
Description of problem:
NetworkManager is getting blocked. Could not determine effect of block.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-53.fc11.noarch

How reproducible:
Each boot up.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
time->Mon Jun 29 20:05:22 2009
type=SYSCALL msg=audit(1246331122.160:74): arch=c000003e syscall=2 success=no exit=-13 a0=7f6281210aea a1=0 a2=1 a3=7fff7077d850 items=0 ppid=2373 pid=4574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1246331122.160:74): avc:  denied  { read } for  pid=4574 comm="NetworkManager" name="null" dev=tmpfs ino=24971 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file

Comment 1 David Highley 2009-07-10 04:11:39 UTC
More information.
time->Mon Jun 29 20:05:22 2009
type=SYSCALL msg=audit(1246331122.184:76): arch=c000003e syscall=2 success=no exit=-13 a0=7fbaddd4daea a1=0 a2=1 a3=7fff1db44ea0 items=0 ppid=4578 pid=4579 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-crash-logger" exe="/usr/libexec/nm-crash-logger" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1246331122.184:76): avc:  denied  { read } for  pid=4579 comm="nm-crash-logger" name="null" dev=tmpfs ino=24971 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file

Comment 2 Daniel Walsh 2009-07-10 12:19:13 UTC
You have a file named null that is labeled as device_t?  Did you some how create /dev/null as a file?

Comment 3 David Highley 2009-07-10 13:31:31 UTC
No, we did not create a null file. The only one that should exist is:
crw-rw-rw-. root root system_u:object_r:null_device_t:s0 /dev/null

Comment 4 Daniel Walsh 2009-07-10 13:52:32 UTC
find /dev -name null

Comment 5 David Highley 2009-07-10 14:06:23 UTC
This is strange:
 ls -Z /dev/.udev/names/null
-rw-r--r--. root root system_u:object_r:udev_tbl_t:s0  \x2fdevices\x2fvirtual\x2fmem\x2fnull

Comment 6 Daniel Walsh 2009-07-10 14:11:20 UTC
But that was not what network maanger was complainging about since it was complaining about a file labeled device_t

tcontext=system_u:object_r:device_t:s0 tclass=file

Comment 7 David Highley 2009-07-10 14:31:28 UTC
Maybe it creates a file on the fly. It is very dynamic in how it operates.

Comment 8 Daniel Walsh 2009-07-10 14:44:23 UTC
Right, but NetworkManager would not be allowed to create device_t files.  The AVC is about a read of a file labeled device_t.  Any chance you have bind installed in a chroot?

Comment 9 David Highley 2009-07-10 16:34:42 UTC
Bind is not installed or used on that system, but we see bind-utils and bind-libs installed anyway. We did an rpm -qa --filesbypkg | grep null and found lots of names with null as part of the name, but the likely cases are:
environment-modules       /usr/share/Modules/modulefiles/null
-rw-r--r--. root root system_u:object_r:usr_t:s0       /usr/share/Modules/modulefiles/null
kbd                       /lib/kbd/consoletrans/null
-rw-r--r--. root root system_u:object_r:lib_t:s0       /lib/kbd/consoletrans/null

Comment 10 Daniel Walsh 2009-07-10 18:51:07 UTC
Well I am at a loss,   you could search for the inode using fine

find / -inum 24971


But I think we will just need to close this,  Looks like it happened while networkmanager was crashing,

Comment 11 David Highley 2009-07-10 19:14:21 UTC
OK, none of this seems to make sense!

find / -inum 24971
/usr/share/openbabel/2.2.1b3/mmffvdw.par

rpm -qa --filesbypkg | grep mmffvdw.par
openbabel                 /usr/share/openbabel/2.2.1b3/mmffvdw.par

rpm -q --info openbabel
Name        : openbabel                    Relocations: (not relocatable)
Version     : 2.2.1                             Vendor: Fedora Project
Release     : 0.1.b3.fc11                   Build Date: Sun 01 Mar 2009 10:35:49 AM PST
Install Date: Tue 02 Jan 2007 09:59:23 AM PST      Build Host: x86-2.fedora.phx.redhat.com
Group       : Applications/File             Source RPM: openbabel-2.2.1-0.1.b3.fc11.src.rpm
Size        : 7347918                          License: GPLv2
Signature   : RSA/8, Fri 13 Mar 2009 10:47:03 AM PDT, Key ID 1dc5c758d22e77f2
Packager    : Fedora Project
URL         : http://openbabel.org/
Summary     : Chemistry software file format converter
Description :
Open Babel is a free, open-source version of the Babel chemistry file
translation program. Open Babel is a project designed to pick up where
Babel left off, as a cross-platform program and library designed to
interconvert between many file formats used in molecular modeling,
computational chemistry, and many related areas.

Open Babel includes two components, a command-line utility and a C++
library. The command-line utility is intended to be used as a replacement
for the original babel program, to translate between various chemical file
formats. The C++ library includes all of the file-translation code as well
as a wide variety of utilities to foster development of other open source
scientific software.

Comment 12 Daniel Walsh 2009-07-10 19:22:28 UTC
I don't know,   Might have matched a inode on a different file system.  I am closing for now, reopen if it happens again.


Note You need to log in before you can comment on or make changes to this bug.