Bug 560317 - SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkManager.state.5ACA7U.
Summary: SELinux is preventing /usr/sbin/NetworkManager "create" access on NetworkMana...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:06091c67a15...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-30 23:44 UTC by Martin Plsek
Modified: 2010-02-15 16:03 UTC (History)
69 users (show)

Fixed In Version: 2.2.63-2.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-11 14:44:27 UTC


Attachments (Terms of Use)

Description Martin Plsek 2010-01-30 23:44:48 UTC
Summary:

SELinux is preventing /usr/sbin/NetworkManager "create" access on
NetworkManager.state.5ACA7U.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                NetworkManager.state.5ACA7U [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-0.7.998-2.git20100106.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-78.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.12-174.2.3.fc12.x86_64 #1
                              SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 30 Jan 2010 08:20:56 PM CET
Last Seen                     Sat 30 Jan 2010 08:20:56 PM CET
Local ID                      3ba2f50a-2189-4260-ae11-c9865f590f06
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1264879256.400:5): avc:  denied  { create } for  pid=1081 comm="NetworkManager" name="NetworkManager.state.5ACA7U" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1264879256.400:5): arch=c000003e syscall=2 success=no exit=-13 a0=1238170 a1=c2 a2=1b6 a3=4d6b726f7774654e items=0 ppid=1080 pid=1081 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-78.fc12,catchall,NetworkManager,NetworkManager_t,var_lib_t,file,create
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t var_lib_t:file create;

Comment 1 Daniel Walsh 2010-02-01 18:38:11 UTC
restorecon -R -v /var/lib

Will fix.

Are you using ndiswrapper?

Comment 2 Martin Plsek 2010-02-01 21:36:02 UTC
Hi,


/var/lib relabeled -> I'll verify after next reboot.
I am not sure about ndiswrapper, just freshly installed F12.

Generally no installation of ndiswrapper was done by me, also on this desktop computer I am not using wireless connection.

Comment 3 Matthew Garrett 2010-02-04 18:25:41 UTC
I'm seeing this after a clean install of F12 with updates enabled during the install. I'm pretty sure that this is a bug, though it may not be in selinux-policy.

Comment 4 Daniel Walsh 2010-02-04 19:51:11 UTC
Yes we know the directory is getting mislabeled.  The problem is figuring on initial install. But updated selinux policy package is supposed to fix the label by running restorecon -R -v /var/lib in the post install.

The question remains, does anyone see this come back or does it only happen on fresh installs.

Comment 5 Matthew Garrett 2010-02-04 20:04:06 UTC
It happens on a fresh install if I have the updates repository selected, so 3.6.32-78 was the first version installed and there's nothing newer in the repositories.

Comment 6 Daniel Walsh 2010-02-04 21:39:54 UTC
Thanks, that gave me a clue of whats broken.

We were only fixing the label on an update of selinux-policy, not the initial install.  I think with the way you were installing it, the label was wrong in anaconda when NetworkManager gets installed, then the selinux-policy gets installed, it sees itself as the first and does not do the restorecon /var/lib
leaving you in the bad state.

This should be fixed in selinux-policy-3.6.32-84

Comment 7 Fedora Update System 2010-02-05 01:46:55 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492

Comment 8 Martin Plsek 2010-02-07 13:17:38 UTC
Hi all,


just to update - the restorecon -Rv /var/lib didn't help at the execution time.

Currently the exactly same problem doesn't appear, but some selinux warnings aftrer reboot are still displayed (when I want to check it, nothing appears in the selinux window)

Unfortunatelly at the moment my installation became very unstable, requiring reboot after each few hours, so I am not able to check more (at the moment can't even open terminal or switch to other tty)

Comment 9 Daniel Walsh 2010-02-08 20:01:34 UTC
As root you can execute

ausearch -m avc -ts recent 

This should show you all the recent avc messages.

Comment 10 upgradeservices 2010-02-09 09:54:43 UTC
the error occurs after restorecon -R -v /var/lib . Below are the details. This happens on a freshly installed (from custom spin) & updated machine.

Summary:

SELinux is preventing /usr/sbin/NetworkManager "create" access on
NetworkManager.state.TDML7U.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                NetworkManager.state.TDML7U [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-0.7.997-2.git20091214.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-78.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux localhost.localdomain
                              2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18
                              19:52:07 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 04 Feb 2010 08:57:06 AM CET
Last Seen                     Thu 04 Feb 2010 08:57:06 AM CET
Local ID                      e3a1beb5-0138-453e-abe8-2f0481c04098
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1265270226.56:6): avc:  denied  { create } for  pid=970 comm="NetworkManager" name="NetworkManager.state.TDML7U" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1265270226.56:6): arch=c000003e syscall=2 success=no exit=-13 a0=1438020 a1=c2 a2=1b6 a3=4d6b726f7774654e items=0 ppid=969 pid=970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Comment 11 Daniel Walsh 2010-02-09 13:56:08 UTC
Are you sure?

Last Seen                     Thu 04 Feb 2010 08:57:06 AM CET

This has not happened since last Thursday?

setroubleshoot has a bug that complains about old alerts when you login.

Fixed in setroubleshoot-2.2.63-1.fc12       
yum update setroubleshoot\* --enablerepo=updates-testing

Comment 12 Dan Farmer 2010-02-09 16:25:27 UTC
I can confirm that the setroubleshoot-2.2.63-1.fc12 update resolved the issue for me.

Comment 13 Chris Carpenter 2010-02-10 22:38:04 UTC
Doing restorecon -R -v /var/lib seems to have fixed it for me.

Comment 14 Fedora Update System 2010-02-11 14:34:11 UTC
setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1591

Comment 15 Fedora Update System 2010-02-11 14:40:08 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2010-02-13 00:37:15 UTC
setroubleshoot-2.2.63-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.