Bug 557529 - SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkManager.state.28GQ6U.
Summary: SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkMana...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e0740d8029c...
: 557778 558609 560283 563084 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-21 18:14 UTC by ablenetech
Modified: 2010-04-23 03:45 UTC (History)
67 users (show)

Fixed In Version: 2.2.63-2.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-13 00:37:32 UTC


Attachments (Terms of Use)
yum update log from fresh install to todays updates @ ~ 1pm UK time (22.47 KB, text/plain)
2010-01-21 22:46 UTC, phil
no flags Details

Description ablenetech 2010-01-21 18:14:10 UTC
Summary:

SELinux is preventing /usr/sbin/NetworkManager "create" access on
NetworkManager.state.28GQ6U.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                NetworkManager.state.28GQ6U [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-0.7.997-2.git20091214.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-69.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux Taraknor 2.6.31.9-174.fc12.x86_64 #1 SMP Mon
                              Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 20 Jan 2010 08:35:48 PM EST
Last Seen                     Wed 20 Jan 2010 08:35:48 PM EST
Local ID                      7d3f968e-3465-4463-bc13-505fbb81ca6a
Line Numbers                  

Raw Audit Messages            

node=Taraknor type=AVC msg=audit(1264037748.251:6): avc:  denied  { create } for  pid=1106 comm="NetworkManager" name="NetworkManager.state.28GQ6U" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=Taraknor type=SYSCALL msg=audit(1264037748.251:6): arch=c000003e syscall=2 success=no exit=-13 a0=133b020 a1=c2 a2=1b6 a3=4d6b726f7774654e items=0 ppid=1105 pid=1106 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-69.fc12,catchall,NetworkManager,NetworkManager_t,var_lib_t,file,create
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t var_lib_t:file create;

Comment 1 ablenetech 2010-01-21 18:21:25 UTC
Fresh fc12 install, rtl8187 wireless was working fine for 2days began adding software-added vlc media player(doubt is the problem) rebooted and now wireless will no longer located cloud networks

Comment 2 Daniel Walsh 2010-01-21 18:35:46 UTC
restorecon -R -v /var/lib

Will fix.  But I would like to know what removed the /var/lib/NetworkManager directory.

Comment 3 phil 2010-01-21 22:31:23 UTC
fresh f12 install, message didn't appear on first 2 boots, i then updated using yum and then this error message started appearing on boot as soon as networkmanager is started, and sealert then appears when you get to the desktop
if i can help with debugging let me know

phil

Comment 4 Daniel Walsh 2010-01-21 22:35:09 UTC
I guess I want to see it happen again.  IE the directory get mislabeled again.

The version of policy you installed, runs restorecon -R -v /var/lib in its post.  So it should have cleaned up any mislabeled dir.  If NetworkManager installed afterward with a new use of /var/lib/NetworkManager, it should have gotten labeled correctly when the dir got created.

Comment 5 phil 2010-01-21 22:37:41 UTC
if it's any help these were installed in the update

Jan 21 13:05:30 Updated: 1:NetworkManager-0.7.997-2.git20091214.fc12.x86_64
Jan 21 13:05:53 Updated: 1:NetworkManager-gnome-0.7.997-2.git20091214.fc12.x86_64
Jan 21 12:53:38 Updated: 1:NetworkManager-glib-0.7.997-2.git20091214.fc12.x86_64

phil

Comment 6 phil 2010-01-21 22:46:54 UTC
Created attachment 386045 [details]
yum update log from fresh install to todays updates @ ~ 1pm UK time

yum log to see order packages were installed

Comment 7 Daniel Walsh 2010-01-22 13:39:26 UTC
Thanks but I don't see how this can happen, unless there is a rogue script that is 

rm -rf /var/lib/NetworkManager
mkdir /var/lib/NetworkManager

Comment 8 joshua 2010-01-22 16:43:10 UTC
This is from a newly installed system, literally up for about 5 minutes, shortly after the first time I log into GNOME.

Is there other info from the machine that I could send that would help?

Joshua

Comment 9 Daniel Walsh 2010-01-22 16:58:13 UTC
I guess if it happens again, we will know there a processes that is removing and recreating the directory.

I ran two tests.

# chcon -t var_lib_t /var/lib/NetworkManager
# yum -y reinstall selinux-policy-targeted
# ls -lZd /var/lib/NetworkManager/
drwxr-xr-x. root root system_u:object_r:NetworkManager_var_lib_t:s0 /var/lib/NetworkManager/

# rm -rf /var/lib/NetworkManager
# yum -y reinstall NetworkManager 
# ls -lZd /var/lib/NetworkManager/
drwxr-xr-x. root root system_u:object_r:NetworkManager_var_lib_t:s0 /var/lib/NetworkManager/

I am at a loss.

Comment 10 Miroslav Grepl 2010-01-25 14:47:05 UTC
*** Bug 557778 has been marked as a duplicate of this bug. ***

Comment 11 Belenos06 2010-01-25 19:41:40 UTC
I have just power on my computer, and Selinux was configured in "strict" mode. I've full of message from Selinux before to change the mode in permissive to be quite.

Comment 12 Daniel Walsh 2010-01-25 19:59:19 UTC
Belenos06, Could you make sure your machine is labeled correctly 

touch /.autorelabel; reboot

Comment 13 Josh Stone 2010-01-26 18:43:29 UTC
*** Bug 558609 has been marked as a duplicate of this bug. ***

Comment 14 Need Real Name 2010-01-26 18:52:48 UTC
Also on a fresh F12 install here. yum.log says:

# grep NetworkManager-0 /var/log/yum.log |grep Updated
Jan 24 15:50:26 Updated: 1:NetworkManager-0.7.997-2.git20091214.fc12.x86_64
# grep selinux /var/log/yum.log |grep Updated
Jan 24 15:13:29 Updated: selinux-policy-3.6.32-69.fc12.noarch
Jan 24 15:28:37 Updated: selinux-policy-targeted-3.6.32-69.fc12.noarch

Comment 15 Need Real Name 2010-01-26 18:53:08 UTC
Problem is triggered for me on a resume.

Comment 16 zilrro 2010-01-27 16:38:13 UTC
I have this problem both in Fedora 32 bits and 64 bits. 

Model: Toshiba Satellite T110
Videocard: Mobile Intel® GMA 4500
Network: Atheros AR8132 PCI-EFast Ethernet Controller (NDIS 6.20)
Wifi: IRealtek RTL8191SE Wireless LAN 802.11n PCI-E NIC (Hardware ID: pci\ven_10ec&dev_8172)0
Bluetooth: (Not Working) Bluetooth ACPI -> Toshiba
Webcam: Chicony
Brigtness controls not working
Display:1366x768

Comment 17 Daniel Walsh 2010-01-27 16:47:28 UTC
If you run restorecon -R -v /var/lib

Does the problem come back?

Comment 18 Need Real Name 2010-01-27 17:28:46 UTC
No, that works around it okay, but it doesn't fix the bug :(

Comment 19 Daniel Walsh 2010-01-27 17:55:49 UTC
Let me restate the bug as I understand it.

For some reason on an initial install of F12 and running updates, /var/lib/NetworkManager ends up labeled var_lib_t instead of NetworkManager_var_lib_t.

Running restorecon fixes the problem.

The question I have and have had is,  Has anyone seen the problem come back after the labeling was fixed?

Comment 20 c_o_z_m_o 2010-01-29 16:53:21 UTC
Also have this bug. 

I used # restorecon -R -v /var/lib

but had later on at restart of ndiswrapper wlan and complete network (wired)
failed to start. 

After several renames and reboots got it working again. But I still have this
bug with network manager.    


As I'm pretty new what exactly is restorecon doing?

Comment 21 phil 2010-01-29 19:54:22 UTC
well i installed f12 to a new lappy and the bug appeared as expected but running restorecon has fixed it, also as expected, i've yet to see it reappear on the first machine i reported on or on this machine, i think it's a one time only problem daniel

Comment 22 phil 2010-01-29 19:55:24 UTC
(In reply to comment #20)
> 
> 
> As I'm pretty new what exactly is restorecon doing?   

http://linux.die.net/man/8/restorecon

Comment 23 David 2010-01-30 12:52:08 UTC
I am experiencing the same issue here. It started after an update yesterday 29th January. This has only appeared after a shutdown and startup.

I have a total of 5 messages in the SeLinux reporter and they all seem to be related.

Comment 24 Fabrizio Celentano 2010-01-30 16:47:03 UTC
Selinux detected the same "suspicious behaviour" 10 times between Jan. 26 (the day that my Fedora 12 installation was completed with TeXmaker, Thunderbird, Tellico and GRAMPS) and Jan 20. Today I have found the 10 alerts when turning the computer on.
I'll try the suggestion by Daniel Walsh as soon as the misbehaviour reappears, and will let yoy know.

Comment 25 Fabrizio Celentano 2010-01-31 02:45:09 UTC
In comment 24 I meant Jan. 29, not Jan. 20.
Anyhow, I made three boots today, and nothing happened. So I did not run restorecon, only checked the NetworkManager labeling:

[fcc@euclide ~]$ ls -Z /var/lib/NetworkManager
-rw-r--r--. root root system_u:object_r:NetworkManager_var_lib_t:s0 NetworkManager.state

Whenever anything was wrong (but I do not know whether this was the case) the system healed himself spontaneously. Strange behaviour indeed.

Comment 26 Miroslav Grepl 2010-02-01 11:24:59 UTC
*** Bug 560283 has been marked as a duplicate of this bug. ***

Comment 27 b2062407 2010-02-06 07:39:44 UTC
Same SELinux policy problem. On Fedora 12 x64 with latest updates.

Comment 28 filadel 2010-02-07 08:27:08 UTC
Fedora 12 x64 latest updates.

# ls -Z /var/lib/NetworkManager
-rw-r--r--. root root system_u:object_r:NetworkManager_var_lib_t:s0 NetworkManager.state


# restorecon -R -v /var/lib didn't helped.

Comment 29 Daniel Walsh 2010-02-08 19:54:21 UTC
filadel, what avc are you seeing then?

Comment 30 TK009 2010-02-08 20:15:10 UTC
I am seeing this on F12 32bit machine.

restorecon -R -v /var/lib doesn't work for me either.

Every login I see a pop up:

SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkManager.state.xxxxxx

In the troubleshooting browser nothing because I made the mistake of checking the stop bothering me box and now just get No alerts to view. From the docs I read I should be able to un-check that box and receive the errors again however that doesn't appear to be the case. I am not sure if htat is another bug or working as intended.

Comment 31 Daniel Walsh 2010-02-08 21:13:18 UTC
Could you login as root and get the output of

ausearch -m avc -ts recent

You can also remove the ~/.setroubleshoot from your home dir to remove the dontbother me stuff.

Comment 32 TK009 2010-02-08 21:34:43 UTC
running the command as root returns <no matches>

I removed the .setroubleshoot and rebooted and got this 


Summary:

SELinux is preventing /usr/sbin/NetworkManager "create" access on
NetworkManager.state.HF876U.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                NetworkManager.state.HF876U [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          black10
Source RPM Packages           NetworkManager-0.7.997-2.git20091214.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-69.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     black10
Platform                      Linux black10 2.6.31.12-174.2.3.fc12.i686.PAE #1
                              SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Fri 05 Feb 2010 10:04:50 PM EST
Last Seen                     Fri 05 Feb 2010 10:04:50 PM EST
Local ID                      13eaf0ee-401c-4540-91d8-d5fed1c9b624
Line Numbers                  

Raw Audit Messages            

node=black10 type=AVC msg=audit(1265425490.902:6): avc:  denied  { create } for  pid=1176 comm="NetworkManager" name="NetworkManager.state.HF876U" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=black10 type=SYSCALL msg=audit(1265425490.902:6): arch=40000003 syscall=5 success=no exit=-13 a0=a0a3438 a1=80c2 a2=1b6 a3=20 items=0 ppid=1175 pid=1176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Comment 33 Daniel Walsh 2010-02-08 21:47:20 UTC
What does 
# restorecon -R -v /var/lib 
output

What does 

ls -lZd /var/lib/NetworkManager

output?

This avc says it was last seen on 2/5  Did you run restorecon before this? or after this?

Comment 34 Jeff Raber 2010-02-09 06:50:38 UTC
*** Bug 563084 has been marked as a duplicate of this bug. ***

Comment 35 Daniel Walsh 2010-02-09 20:18:35 UTC
Fixed in setroubleshoot-2.2.63-1.fc12       
yum update setroubleshoot\* --enablerepo=updates-testing

Comment 36 Jeff Raber 2010-02-09 23:53:23 UTC
NetworkManager-1:0.7.997-2.git20091214 contains a new /var/lib/NetworkManager but does not set the SELinux context to NetworkManager_var_lib_t (it ends up as var_lib_t instead)

This can be fixed with restorecon

See: http://koji.fedoraproject.org/koji/rpminfo?fileStart=150&rpmID=1726300&fileOrder=name&buildrootOrder=-id&buildrootStart=0#filelist

The second to last file is the new /var/lib/NetworkManager

Comment 37 TK009 2010-02-10 08:13:45 UTC
restorecon does not fix the problem (not for me anyway).

What does 
# restorecon -R -v /var/lib 
output

nothing except the command prompt after about 3 seconds.

updated to setroubleshoot-2.2.63-1.fc12 and the error is gone.

I didn't mess with networkmanager.

Comment 38 Jeff Raber 2010-02-10 09:28:46 UTC
Installing selinux-policy-targeted-3.6.32-78 resolves the problem with the SELinux context of /var/lib/NetworkManager and should resolve this bug.

Anyone still seeing this problem after installing the latest selinux-policy should look carefully to be sure they are not seeing OLD avc messages.

Also, this bug is a dup of Bug 560317 (actually, it is a dup of this bug, but it already has a solution applied)

Comment 39 Phil V 2010-02-11 01:12:30 UTC
Yes, Jeff, but how do we get the sealert pop-up box from showing up on every bootup alerting us to the OLD messages?

Deleting the messages did not stop the warning on my system.
It only means that when you click "Show", you get an empty list.

Comment 40 Jeff Raber 2010-02-11 01:55:11 UTC
Phil V: setroubleshoot-2.2.63-1.fc12 fixes that issue.

yum update setroubleshoot\* --enablerepo=updates-testing or wait for it to be pushed to stable.

If you do install the the test update, add a comment on bodhi to let us know if it resolved the issue for you.  This can speed up the push to stable.

https://admin.fedoraproject.org/updates/F12/FEDORA-2010-1591?_csrf_token=8f74964da5b17d39751f0cce78ffd6e4d591246d

Setting status to ON_QA as we wait for the latest setroubleshoot package to hit stable.

Comment 41 Fedora Update System 2010-02-11 14:34:03 UTC
setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1591

Comment 42 Phil V 2010-02-11 19:08:43 UTC
I followed Comment 40 but at least on immediate reboot the problem persists.
Maybe deleting the alerts with the buggy gui put the system in a strange state? 
(The first time I attempted to delete them I backtracked through the list and found every other alert had the delete checkbox cleared... suggesting something peculiar going on.) is there a file I could just rename or move that would clear this?  

My Installed Packages:
Name       : setroubleshoot
Arch       : x86_64
Version    : 2.2.63
Release    : 1.fc12
Size       : 235 k
Repo       : installed

Name       : setroubleshoot-plugins
Arch       : noarch
Version    : 2.1.40
Release    : 1.fc12
Size       : 3.9 M
Repo       : installed

Name       : setroubleshoot-server
Arch       : x86_64
Version    : 2.2.63
Release    : 1.fc12
Size       : 1.1 M
Repo       : installed

Comment 43 Daniel Walsh 2010-02-11 19:24:18 UTC
rm -f ~/.setroubleshootrc

Comment 44 Phil V 2010-02-12 20:14:20 UTC
Hurrah! Problem is completely solved on my systems.
Thank you for the help!

 rm -f ~/.setroubleshootrc 
removed the senseless warnings recorded in Comment 39.

(for the record that file was something like an empty line followed by a option=value pair with empty value)

Comment 45 Fedora Update System 2010-02-13 00:37:07 UTC
setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 46 Greg Ennis 2010-03-08 05:04:03 UTC
I had no problems with NetworkManager, but after install the rpm's today, I received 46 duplicate errors of this bug.  I have a fresh F12 install and use a wireless connection.

Greg Ennis

Here is what I installed this afternoon :

Mar 07 15:44:12 Installed: live555-0-0.24.2009.07.28.fc12.i686
Mar 07 15:44:15 Installed: libdca-0.0.5-5.fc12.i686
Mar 07 15:44:17 Installed: fribidi-0.19.2-2.fc12.i686
Mar 07 15:44:18 Installed: enca-1.10-1.fc12.i686
Mar 07 15:44:20 Installed: libdvdnav-4.1.4-0.1.svn1184.fc12.i686
Mar 07 15:44:22 Installed: libcaca-0.99-0.9.beta16.fc12.i686
Mar 07 15:44:26 Installed: mplayer-1.0-0.111.20091029svn.fc12.i686
Mar 07 15:44:28 Installed: mencoder-1.0-0.111.20091029svn.fc12.i686
Mar 07 15:44:32 Installed: gnome-mplayer-common-0.9.8-1.fc12.i686
Mar 07 15:44:41 Installed: gnome-mplayer-0.9.8-1.fc12.i686
Mar 07 15:44:45 Installed: gecko-mediaplayer-0.9.8-2.fc12.i686

Comment 47 Daniel Walsh 2010-03-08 20:33:01 UTC
Greg how is /var/lib/NetworkManager labeled?

ls -ldZ /var/lib/NetworkManager

Comment 48 Toshi 2010-03-19 19:27:40 UTC
I did the restorecon command and it went to the next prompt. I then used the command to find out how it was labeled and this is what I discovered.  I am asumming this is the right forum.  i am very new to Linux.

[root@fedora Reykvid]# restorecon -R -v var/lib
[root@fedora Reykvid]# ls -ldZ /var/lib/NetworkManager
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0   /var/lib/NetworkManager

Comment 49 Daniel Walsh 2010-03-22 15:28:18 UTC
Nope that is wrong.

Are you sure you have the correct policy installed.

yum reinstall selinux-policy-targeted
rpm -q selinux-policy-targeted

Comment 50 Toshi 2010-03-23 04:50:06 UTC
I did the yum reinstall selinux-policy-targeted.  This is the result I got.



Installed:
  selinux-policy-targeted.noarch 0:3.6.32-103.fc12                              

Complete!
[root@fedora Reykvid]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.32-103.fc12.noarch


Is this correct?

Comment 51 Daniel Walsh 2010-03-23 11:41:20 UTC
matchpathcon /var/lib/NetworkManager

restorecon -R -v /var/lib/NetworkManager

Comment 52 Toshi 2010-03-23 14:15:02 UTC
I did the matchpathcon and restorecon steps. This is the results on my screen.


[root@fedora Reykvid]# matchpathcon /var/lib/NetworkManager
/var/lib/NetworkManager	system_u:object_r:NetworkManager_var_lib_t:s0
[root@fedora Reykvid]# restorecon -R -v /var/lib/NetworkManager
[root@fedora Reykvid]# 



I will await further instructions.

Comment 53 Daniel Walsh 2010-03-23 14:20:47 UTC
That is correct label.   You should not see the AVC anymore.

Comment 54 Toshi 2010-03-23 14:34:01 UTC
Thank you so much for your help.  I really appreciate you walking me through this process.


Note You need to log in before you can comment on or make changes to this bug.