Bug 510652 - NetworkManager blocked
NetworkManager blocked
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2009-07-10 00:08 EDT by David Highley
Modified: 2009-07-10 15:22 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-10 15:22:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Highley 2009-07-10 00:08:34 EDT
Description of problem:
NetworkManager is getting blocked. Could not determine effect of block.

Version-Release number of selected component (if applicable):

How reproducible:
Each boot up.

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
time->Mon Jun 29 20:05:22 2009
type=SYSCALL msg=audit(1246331122.160:74): arch=c000003e syscall=2 success=no exit=-13 a0=7f6281210aea a1=0 a2=1 a3=7fff7077d850 items=0 ppid=2373 pid=4574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1246331122.160:74): avc:  denied  { read } for  pid=4574 comm="NetworkManager" name="null" dev=tmpfs ino=24971 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
Comment 1 David Highley 2009-07-10 00:11:39 EDT
More information.
time->Mon Jun 29 20:05:22 2009
type=SYSCALL msg=audit(1246331122.184:76): arch=c000003e syscall=2 success=no exit=-13 a0=7fbaddd4daea a1=0 a2=1 a3=7fff1db44ea0 items=0 ppid=4578 pid=4579 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-crash-logger" exe="/usr/libexec/nm-crash-logger" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1246331122.184:76): avc:  denied  { read } for  pid=4579 comm="nm-crash-logger" name="null" dev=tmpfs ino=24971 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file
Comment 2 Daniel Walsh 2009-07-10 08:19:13 EDT
You have a file named null that is labeled as device_t?  Did you some how create /dev/null as a file?
Comment 3 David Highley 2009-07-10 09:31:31 EDT
No, we did not create a null file. The only one that should exist is:
crw-rw-rw-. root root system_u:object_r:null_device_t:s0 /dev/null
Comment 4 Daniel Walsh 2009-07-10 09:52:32 EDT
find /dev -name null
Comment 5 David Highley 2009-07-10 10:06:23 EDT
This is strange:
 ls -Z /dev/.udev/names/null
-rw-r--r--. root root system_u:object_r:udev_tbl_t:s0  \x2fdevices\x2fvirtual\x2fmem\x2fnull
Comment 6 Daniel Walsh 2009-07-10 10:11:20 EDT
But that was not what network maanger was complainging about since it was complaining about a file labeled device_t

tcontext=system_u:object_r:device_t:s0 tclass=file
Comment 7 David Highley 2009-07-10 10:31:28 EDT
Maybe it creates a file on the fly. It is very dynamic in how it operates.
Comment 8 Daniel Walsh 2009-07-10 10:44:23 EDT
Right, but NetworkManager would not be allowed to create device_t files.  The AVC is about a read of a file labeled device_t.  Any chance you have bind installed in a chroot?
Comment 9 David Highley 2009-07-10 12:34:42 EDT
Bind is not installed or used on that system, but we see bind-utils and bind-libs installed anyway. We did an rpm -qa --filesbypkg | grep null and found lots of names with null as part of the name, but the likely cases are:
environment-modules       /usr/share/Modules/modulefiles/null
-rw-r--r--. root root system_u:object_r:usr_t:s0       /usr/share/Modules/modulefiles/null
kbd                       /lib/kbd/consoletrans/null
-rw-r--r--. root root system_u:object_r:lib_t:s0       /lib/kbd/consoletrans/null
Comment 10 Daniel Walsh 2009-07-10 14:51:07 EDT
Well I am at a loss,   you could search for the inode using fine

find / -inum 24971

But I think we will just need to close this,  Looks like it happened while networkmanager was crashing,
Comment 11 David Highley 2009-07-10 15:14:21 EDT
OK, none of this seems to make sense!

find / -inum 24971

rpm -qa --filesbypkg | grep mmffvdw.par
openbabel                 /usr/share/openbabel/2.2.1b3/mmffvdw.par

rpm -q --info openbabel
Name        : openbabel                    Relocations: (not relocatable)
Version     : 2.2.1                             Vendor: Fedora Project
Release     : 0.1.b3.fc11                   Build Date: Sun 01 Mar 2009 10:35:49 AM PST
Install Date: Tue 02 Jan 2007 09:59:23 AM PST      Build Host: x86-2.fedora.phx.redhat.com
Group       : Applications/File             Source RPM: openbabel-2.2.1-0.1.b3.fc11.src.rpm
Size        : 7347918                          License: GPLv2
Signature   : RSA/8, Fri 13 Mar 2009 10:47:03 AM PDT, Key ID 1dc5c758d22e77f2
Packager    : Fedora Project
URL         : http://openbabel.org/
Summary     : Chemistry software file format converter
Description :
Open Babel is a free, open-source version of the Babel chemistry file
translation program. Open Babel is a project designed to pick up where
Babel left off, as a cross-platform program and library designed to
interconvert between many file formats used in molecular modeling,
computational chemistry, and many related areas.

Open Babel includes two components, a command-line utility and a C++
library. The command-line utility is intended to be used as a replacement
for the original babel program, to translate between various chemical file
formats. The C++ library includes all of the file-translation code as well
as a wide variety of utilities to foster development of other open source
scientific software.
Comment 12 Daniel Walsh 2009-07-10 15:22:28 EDT
I don't know,   Might have matched a inode on a different file system.  I am closing for now, reopen if it happens again.

Note You need to log in before you can comment on or make changes to this bug.